package org.apache.cxf.xkms.client;

import jakarta.xml.bind.JAXBElement;
import java.io.ByteArrayInputStream;
import java.math.BigInteger;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.UUID;
import javax.xml.namespace.QName;
import org.apache.cxf.xkms.exception.ExceptionMapper;
import org.apache.cxf.xkms.exception.XKMSException;
import org.apache.cxf.xkms.exception.XKMSLocateException;
import org.apache.cxf.xkms.exception.XKMSValidateException;
import org.apache.cxf.xkms.handlers.Applications;
import org.apache.cxf.xkms.model.xkms.KeyBindingEnum;
import org.apache.cxf.xkms.model.xkms.KeyBindingType;
import org.apache.cxf.xkms.model.xkms.KeyUsageEnum;
import org.apache.cxf.xkms.model.xkms.LocateRequestType;
import org.apache.cxf.xkms.model.xkms.LocateResultType;
import org.apache.cxf.xkms.model.xkms.MessageAbstractType;
import org.apache.cxf.xkms.model.xkms.QueryKeyBindingType;
import org.apache.cxf.xkms.model.xkms.UnverifiedKeyBindingType;
import org.apache.cxf.xkms.model.xkms.UseKeyWithType;
import org.apache.cxf.xkms.model.xkms.ValidateRequestType;
import org.apache.cxf.xkms.model.xkms.ValidateResultType;
import org.apache.cxf.xkms.model.xmldsig.KeyInfoType;
import org.apache.cxf.xkms.model.xmldsig.ObjectFactory;
import org.apache.cxf.xkms.model.xmldsig.X509DataType;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3._2002._03.xkms_wsdl.XKMSPortType;

/* loaded from: input_file:org/apache/cxf/xkms/client/XKMSInvoker.class */
public class XKMSInvoker {
    private static final Logger LOG = LoggerFactory.getLogger(XKMSInvoker.class);
    private static final ObjectFactory DSIG_OF = new ObjectFactory();
    private static final org.apache.cxf.xkms.model.xkms.ObjectFactory XKMS_OF = new org.apache.cxf.xkms.model.xkms.ObjectFactory();
    private static final String XKMS_LOCATE_INVALID_CERTIFICATE = "Cannot instantiate X509 certificate from XKMS response";
    private static final String XKMS_VALIDATE_ERROR = "Certificate [%s] is not valid";
    private final XKMSPortType xkmsConsumer;

    /* loaded from: input_file:org/apache/cxf/xkms/client/XKMSInvoker$CertificateValidationResult.class */
    public static class CertificateValidationResult {
        private final boolean valid;
        private final String description;

        public CertificateValidationResult(boolean z, String str) {
            this.valid = z;
            this.description = str;
        }

        public boolean isValid() {
            return this.valid;
        }

        public String getDescription() {
            return this.description;
        }
    }

    public XKMSInvoker(XKMSPortType xKMSPortType) {
        this.xkmsConsumer = xKMSPortType;
    }

    public X509Certificate getServiceCertificate(QName qName) {
        return getCertificateForId(Applications.SERVICE_NAME, qName.toString());
    }

    public X509Certificate getCertificateForId(Applications applications, String str) {
        return getCertificate(Collections.singletonList(new X509AppId(applications, str)));
    }

    public X509Certificate getCertificateForIssuerSerial(String str, BigInteger bigInteger) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new X509AppId(Applications.ISSUER, str));
        arrayList.add(new X509AppId(Applications.SERIAL, bigInteger.toString(16)));
        return getCertificate(arrayList);
    }

    public X509Certificate getCertificateForEndpoint(String str) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new X509AppId(Applications.SERVICE_ENDPOINT, str));
        return getCertificate(arrayList);
    }

    public X509Certificate getCertificate(List<X509AppId> list) {
        try {
            return parseLocateXKMSResponse(this.xkmsConsumer.locate(prepareLocateXKMSRequest(list)), list);
        } catch (RuntimeException e) {
            String format = String.format("XKMS locate call fails for certificate: %s. Error: %s", list, e.getMessage());
            LOG.warn(format, e);
            throw new XKMSLocateException(format, e);
        }
    }

    public boolean validateCertificate(X509Certificate x509Certificate) {
        return checkCertificateValidity(x509Certificate, false);
    }

    public boolean validateDirectTrustCertificate(X509Certificate x509Certificate) {
        return checkCertificateValidity(x509Certificate, true);
    }

    protected boolean checkCertificateValidity(X509Certificate x509Certificate, boolean z) {
        try {
            ValidateRequestType prepareValidateXKMSRequest = prepareValidateXKMSRequest(x509Certificate);
            if (z) {
                prepareValidateXKMSRequest.getQueryKeyBinding().getKeyUsage().add(KeyUsageEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_SIGNATURE);
            }
            CertificateValidationResult parseValidateXKMSResponse = parseValidateXKMSResponse(this.xkmsConsumer.validate(prepareValidateXKMSRequest), x509Certificate.getSubjectDN().getName());
            if (!parseValidateXKMSResponse.isValid()) {
                LOG.warn(String.format("Certificate %s is not valid: %s", x509Certificate.getSubjectDN(), parseValidateXKMSResponse.getDescription()));
            }
            return parseValidateXKMSResponse.isValid();
        } catch (RuntimeException e) {
            String format = String.format("XKMS validate call fails for certificate: %s. Error: %s", x509Certificate.getSubjectDN(), e.getMessage());
            LOG.warn(format, e);
            throw new XKMSValidateException(format, e);
        }
    }

    protected LocateRequestType prepareLocateXKMSRequest(List<X509AppId> list) {
        QueryKeyBindingType createQueryKeyBindingType = XKMS_OF.createQueryKeyBindingType();
        for (X509AppId x509AppId : list) {
            UseKeyWithType createUseKeyWithType = XKMS_OF.createUseKeyWithType();
            createUseKeyWithType.setIdentifier(x509AppId.getId());
            createUseKeyWithType.setApplication(x509AppId.getApplication().getUri());
            createQueryKeyBindingType.getUseKeyWith().add(createUseKeyWithType);
        }
        LocateRequestType createLocateRequestType = XKMS_OF.createLocateRequestType();
        createLocateRequestType.setQueryKeyBinding(createQueryKeyBindingType);
        setGenericRequestParams(createLocateRequestType);
        return createLocateRequestType;
    }

    protected X509Certificate parseLocateXKMSResponse(LocateResultType locateResultType, List<X509AppId> list) {
        XKMSException fromResponse = ExceptionMapper.fromResponse(locateResultType);
        if (fromResponse != null) {
            throw fromResponse;
        }
        if (!locateResultType.getUnverifiedKeyBinding().iterator().hasNext()) {
            LOG.warn("X509Certificate is not found in XKMS for id: " + list);
            return null;
        }
        KeyInfoType keyInfo = ((UnverifiedKeyBindingType) locateResultType.getUnverifiedKeyBinding().iterator().next()).getKeyInfo();
        if (!keyInfo.getContent().iterator().hasNext()) {
            LOG.warn("X509Certificate is not found in XKMS for id: " + list);
            return null;
        }
        try {
            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream((byte[]) ((JAXBElement) ((X509DataType) ((JAXBElement) keyInfo.getContent().iterator().next()).getValue()).getX509IssuerSerialOrX509SKIOrX509SubjectName().iterator().next()).getValue()));
        } catch (CertificateException e) {
            throw new XKMSLocateException(XKMS_LOCATE_INVALID_CERTIFICATE, e);
        }
    }

    protected ValidateRequestType prepareValidateXKMSRequest(X509Certificate x509Certificate) {
        try {
            JAXBElement createX509DataTypeX509Certificate = DSIG_OF.createX509DataTypeX509Certificate(x509Certificate.getEncoded());
            X509DataType createX509DataType = DSIG_OF.createX509DataType();
            createX509DataType.getX509IssuerSerialOrX509SKIOrX509SubjectName().add(createX509DataTypeX509Certificate);
            JAXBElement createX509Data = DSIG_OF.createX509Data(createX509DataType);
            KeyInfoType createKeyInfoType = DSIG_OF.createKeyInfoType();
            createKeyInfoType.getContent().add(createX509Data);
            QueryKeyBindingType createQueryKeyBindingType = XKMS_OF.createQueryKeyBindingType();
            createQueryKeyBindingType.setKeyInfo(createKeyInfoType);
            ValidateRequestType createValidateRequestType = XKMS_OF.createValidateRequestType();
            setGenericRequestParams(createValidateRequestType);
            createValidateRequestType.setQueryKeyBinding(createQueryKeyBindingType);
            createValidateRequestType.setId(x509Certificate.getSubjectDN().toString());
            return createValidateRequestType;
        } catch (CertificateEncodingException e) {
            throw new IllegalArgumentException(e);
        }
    }

    protected CertificateValidationResult parseValidateXKMSResponse(ValidateResultType validateResultType, String str) {
        XKMSException fromResponse = ExceptionMapper.fromResponse(validateResultType);
        if (fromResponse != null) {
            throw fromResponse;
        }
        return KeyBindingEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_VALID != ((KeyBindingType) validateResultType.getKeyBinding().iterator().next()).getStatus().getStatusValue() ? new CertificateValidationResult(false, XKMS_VALIDATE_ERROR) : new CertificateValidationResult(true, null);
    }

    private void setGenericRequestParams(MessageAbstractType messageAbstractType) {
        messageAbstractType.setService("http://cxf.apache.org/services/XKMS/");
        messageAbstractType.setId(UUID.randomUUID().toString());
    }
}
