package org.nhindirect.stagent.trust;

import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import javax.mail.internet.InternetAddress;
import org.nhindirect.common.cert.SignerCertPair;
import org.nhindirect.common.crypto.CryptoExtensions;
import org.nhindirect.policy.PolicyExpression;
import org.nhindirect.policy.PolicyFilter;
import org.nhindirect.policy.PolicyFilterFactory;
import org.nhindirect.policy.PolicyParseException;
import org.nhindirect.policy.PolicyProcessException;
import org.nhindirect.policy.PolicyRequiredException;
import org.nhindirect.stagent.AgentError;
import org.nhindirect.stagent.AgentException;
import org.nhindirect.stagent.DefaultMessageSignatureImpl;
import org.nhindirect.stagent.IncomingMessage;
import org.nhindirect.stagent.NHINDAddress;
import org.nhindirect.stagent.OutgoingMessage;
import org.nhindirect.stagent.cert.impl.CRLRevocationManager;
import org.nhindirect.stagent.policy.PolicyResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/agent-8.0.0.jar:org/nhindirect/stagent/trust/TrustModel.class */
public class TrustModel {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) TrustModel.class);
    public static final TrustModel Default = new TrustModel();
    private final TrustChainValidator certChainValidator;
    private PolicyResolver trustPolicyResolver;
    private PolicyFilter policyFilter;

    public TrustModel() {
        this.certChainValidator = new TrustChainValidator();
        try {
            this.policyFilter = PolicyFilterFactory.getInstance();
        } catch (PolicyParseException e) {
            throw new AgentException(AgentError.Unexpected, "Failed to create policy filter object.", e);
        }
    }

    public TrustModel(TrustChainValidator trustChainValidator) {
        this.certChainValidator = trustChainValidator;
        try {
            this.policyFilter = PolicyFilterFactory.getInstance();
        } catch (PolicyParseException e) {
            throw new AgentException(AgentError.Unexpected, "Failed to create policy filter object.", e);
        }
    }

    public TrustChainValidator getCertChainValidator() {
        return this.certChainValidator;
    }

    public void setPolicyFilter(PolicyFilter policyFilter) {
        this.policyFilter = policyFilter;
    }

    public PolicyFilter getPolicyFilter() {
        return this.policyFilter;
    }

    public void setTrustPolicyResolver(PolicyResolver policyResolver) {
        this.trustPolicyResolver = policyResolver;
    }

    public PolicyResolver getTrustPolicyResolver() {
        return this.trustPolicyResolver;
    }

    public void enforce(IncomingMessage incomingMessage) {
        if (incomingMessage == null) {
            throw new IllegalArgumentException();
        }
        if (!incomingMessage.hasSignatures()) {
            throw new AgentException(AgentError.UntrustedMessage);
        }
        findSenderSignatures(incomingMessage);
        if (!incomingMessage.hasSenderSignatures()) {
            throw new AgentException(AgentError.MissingSenderSignature);
        }
        Iterator<NHINDAddress> it = incomingMessage.getDomainRecipients().iterator();
        while (it.hasNext()) {
            NHINDAddress next = it.next();
            next.setStatus(TrustEnforcementStatus.Failed);
            if (next.getCertificates() != null) {
                DefaultMessageSignatureImpl findTrustedSignature = findTrustedSignature(incomingMessage, next, next.getTrustAnchors());
                if (findTrustedSignature != null) {
                    next.setStatus(findTrustedSignature.isThumbprintVerified() ? TrustEnforcementStatus.Success : TrustEnforcementStatus.Success_ThumbprintMismatch);
                } else {
                    log.warn("enforce(IncomingMessage message) - could not find a trusted certificate for recipient {}", next.getAddress());
                }
            } else {
                log.warn("enforce(IncomingMessage message) - recipient {} does not have a bound certificate", next.getAddress());
            }
        }
    }

    public void enforce(OutgoingMessage outgoingMessage) {
        if (outgoingMessage == null) {
            throw new IllegalArgumentException();
        }
        NHINDAddress sender = outgoingMessage.getSender();
        Iterator<NHINDAddress> it = outgoingMessage.getRecipients().iterator();
        while (it.hasNext()) {
            NHINDAddress next = it.next();
            next.setStatus(TrustEnforcementStatus.Failed);
            Collection<X509Certificate> certificates = next.getCertificates();
            if (certificates == null || certificates.size() == 0) {
                log.warn("enforce(OutgoingMessage message) - recipient {} has no bound certificates", next.getAddress());
            }
            next.setCertificates(findTrustedCerts(certificates, sender.getTrustAnchors()));
            if (next.hasCertificates()) {
                next.setStatus(TrustEnforcementStatus.Success);
            } else {
                log.warn("enforce(OutgoingMessage message) - could not trust any certificates for recipient {}", next.getAddress());
            }
        }
    }

    protected Collection<X509Certificate> findTrustedCerts(Collection<X509Certificate> collection, Collection<X509Certificate> collection2) {
        if (collection == null) {
            return null;
        }
        ArrayList arrayList = null;
        for (X509Certificate x509Certificate : collection) {
            if (this.certChainValidator.isTrusted(x509Certificate, collection2)) {
                if (arrayList == null) {
                    arrayList = new ArrayList();
                }
                arrayList.add(x509Certificate);
            }
        }
        return arrayList;
    }

    protected void findSenderSignatures(IncomingMessage incomingMessage) {
        incomingMessage.setSenderSignatures(null);
        NHINDAddress sender = incomingMessage.getSender();
        ArrayList arrayList = new ArrayList();
        Collection<SignerCertPair> findSignersByName = CryptoExtensions.findSignersByName(incomingMessage.getSignature(), sender.getAddress(), null);
        Collection<SignerCertPair> findSignersByName2 = CryptoExtensions.findSignersByName(incomingMessage.getSignature(), sender.getHost(), Arrays.asList(sender.getAddress()));
        for (SignerCertPair signerCertPair : findSignersByName) {
            arrayList.add(new DefaultMessageSignatureImpl(signerCertPair.getSigner(), false, signerCertPair.getCertificate()));
        }
        for (SignerCertPair signerCertPair2 : findSignersByName2) {
            arrayList.add(new DefaultMessageSignatureImpl(signerCertPair2.getSigner(), true, signerCertPair2.getCertificate()));
        }
        incomingMessage.setSenderSignatures(arrayList);
    }

    protected DefaultMessageSignatureImpl findTrustedSignature(IncomingMessage incomingMessage, Collection<X509Certificate> collection) {
        return findTrustedSignature(incomingMessage, null, collection);
    }

    protected DefaultMessageSignatureImpl findTrustedSignature(IncomingMessage incomingMessage, InternetAddress internetAddress, Collection<X509Certificate> collection) {
        NHINDAddress sender = incomingMessage.getSender();
        Collection<DefaultMessageSignatureImpl> senderSignatures = incomingMessage.getSenderSignatures();
        DefaultMessageSignatureImpl defaultMessageSignatureImpl = null;
        CRLRevocationManager cRLRevocationManager = CRLRevocationManager.getInstance();
        Iterator<DefaultMessageSignatureImpl> it = senderSignatures.iterator();
        while (it.hasNext()) {
            DefaultMessageSignatureImpl next = it.next();
            if (!cRLRevocationManager.isRevoked(next.getSignerCert()) && isAllowedCertKey(next.getSignerCert())) {
                boolean z = this.certChainValidator.isTrusted(next.getSignerCert(), collection) && next.checkSignature();
                if (z && internetAddress != null) {
                    z = isCertPolicyCompliant(internetAddress, next.getSignerCert());
                }
                if (z) {
                    if (sender.hasCertificates() && !next.checkThumbprint(sender)) {
                        defaultMessageSignatureImpl = next;
                    }
                    return next;
                }
                continue;
            }
        }
        return defaultMessageSignatureImpl;
    }

    protected boolean isCertPolicyCompliant(InternetAddress internetAddress, X509Certificate x509Certificate) {
        boolean z = true;
        if (this.trustPolicyResolver != null && this.policyFilter != null) {
            Iterator<PolicyExpression> it = this.trustPolicyResolver.getIncomingPolicy(internetAddress).iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                try {
                    if (!this.policyFilter.isCompliant(x509Certificate, it.next())) {
                        z = false;
                        break;
                    }
                } catch (PolicyRequiredException e) {
                    z = false;
                } catch (PolicyProcessException e2) {
                    throw new AgentException(AgentError.InvalidPolicy, e2);
                }
            }
        }
        return z;
    }

    protected boolean isAllowedCertKey(X509Certificate x509Certificate) {
        return !x509Certificate.getPublicKey().getAlgorithm().contains("RSA") || ((RSAPublicKey) x509Certificate.getPublicKey()).getModulus().bitLength() >= 2048;
    }
}
