package ee.sk.mid;

import ee.sk.mid.exception.TechnicalErrorException;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Date;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:ee/sk/mid/AuthenticationResponseValidator.class */
public class AuthenticationResponseValidator {
    private static final Logger logger = LoggerFactory.getLogger(AuthenticationResponseValidator.class);

    public MobileIdAuthenticationResult validate(MobileIdAuthentication mobileIdAuthentication) {
        validateAuthentication(mobileIdAuthentication);
        MobileIdAuthenticationResult mobileIdAuthenticationResult = new MobileIdAuthenticationResult();
        mobileIdAuthenticationResult.setAuthenticationIdentity(constructAuthenticationIdentity(mobileIdAuthentication.getCertificate()));
        if (!isResultOk(mobileIdAuthentication)) {
            mobileIdAuthenticationResult.setValid(false);
            mobileIdAuthenticationResult.addError(MobileIdAuthenticationError.INVALID_RESULT);
        }
        if (!isSignatureValid(mobileIdAuthentication)) {
            mobileIdAuthenticationResult.setValid(false);
            mobileIdAuthenticationResult.addError(MobileIdAuthenticationError.SIGNATURE_VERIFICATION_FAILURE);
        }
        if (!isCertificateValid(mobileIdAuthentication.getCertificate())) {
            mobileIdAuthenticationResult.setValid(false);
            mobileIdAuthenticationResult.addError(MobileIdAuthenticationError.CERTIFICATE_EXPIRED);
        }
        return mobileIdAuthenticationResult;
    }

    private void validateAuthentication(MobileIdAuthentication mobileIdAuthentication) throws TechnicalErrorException {
        if (mobileIdAuthentication.getCertificate() == null) {
            logger.error("Certificate is not present in the authentication response");
            throw new TechnicalErrorException("Certificate is not present in the authentication response");
        }
        if (mobileIdAuthentication.getSignatureValueInBase64().isEmpty()) {
            logger.error("Signature is not present in the authentication response");
            throw new TechnicalErrorException("Signature is not present in the authentication response");
        }
        if (mobileIdAuthentication.getHashType() == null) {
            logger.error("Hash type is not present in the authentication response");
            throw new TechnicalErrorException("Hash type is not present in the authentication response");
        }
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:7:0x0050. Please report as an issue. */
    AuthenticationIdentity constructAuthenticationIdentity(X509Certificate x509Certificate) throws TechnicalErrorException {
        AuthenticationIdentity authenticationIdentity = new AuthenticationIdentity();
        try {
            for (Rdn rdn : new LdapName(x509Certificate.getSubjectDN().getName()).getRdns()) {
                String upperCase = rdn.getType().toUpperCase();
                boolean z = -1;
                switch (upperCase.hashCode()) {
                    case -1135010629:
                        if (upperCase.equals("SURNAME")) {
                            z = true;
                            break;
                        }
                        break;
                    case -977765827:
                        if (upperCase.equals("SERIALNUMBER")) {
                            z = 2;
                            break;
                        }
                        break;
                    case -38372504:
                        if (upperCase.equals("GIVENNAME")) {
                            z = false;
                            break;
                        }
                        break;
                    case 67:
                        if (upperCase.equals("C")) {
                            z = 3;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case false:
                        authenticationIdentity.setGivenName(rdn.getValue().toString());
                        break;
                    case true:
                        authenticationIdentity.setSurName(rdn.getValue().toString());
                        break;
                    case true:
                        authenticationIdentity.setIdentityCode(getIdentityNumber(rdn.getValue().toString()));
                        break;
                    case true:
                        authenticationIdentity.setCountry(rdn.getValue().toString());
                        break;
                }
            }
            return authenticationIdentity;
        } catch (InvalidNameException e) {
            logger.error("Error getting authentication identity from the certificate", e);
            throw new TechnicalErrorException("Error getting authentication identity from the certificate", e);
        }
    }

    private String getIdentityNumber(String str) {
        return str.replaceAll("^PNO[A-Z][A-Z]-", "");
    }

    private boolean isResultOk(MobileIdAuthentication mobileIdAuthentication) {
        return "OK".equalsIgnoreCase(mobileIdAuthentication.getResult());
    }

    private boolean isSignatureValid(MobileIdAuthentication mobileIdAuthentication) {
        PublicKey publicKey = mobileIdAuthentication.getCertificate().getPublicKey();
        String algorithm = publicKey.getAlgorithm();
        boolean z = -1;
        switch (algorithm.hashCode()) {
            case 2206:
                if (algorithm.equals("EC")) {
                    z = true;
                    break;
                }
                break;
            case 81440:
                if (algorithm.equals("RSA")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return SignatureVerifier.verifyWithRSA(publicKey, mobileIdAuthentication);
            case true:
                return SignatureVerifier.verifyWithECDSA(publicKey, mobileIdAuthentication);
            default:
                throw new IllegalArgumentException("Unsupported algorithm " + publicKey.getAlgorithm());
        }
    }

    private boolean isCertificateValid(X509Certificate x509Certificate) {
        return !x509Certificate.getNotAfter().before(new Date());
    }
}
