package no.digipost.api.client.filters.response;

import java.io.ByteArrayInputStream;
import java.security.GeneralSecurityException;
import java.security.Signature;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import no.digipost.api.client.ApiService;
import no.digipost.api.client.Headers;
import no.digipost.api.client.errorhandling.DigipostClientException;
import no.digipost.api.client.errorhandling.ErrorCode;
import no.digipost.api.client.security.ClientResponseToVerify;
import no.digipost.api.client.security.ResponseMessageSignatureUtil;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.Header;
import org.apache.http.HttpResponse;
import org.apache.http.HttpResponseInterceptor;
import org.apache.http.protocol.HttpContext;
import org.bouncycastle.util.encoders.Base64;

/* loaded from: input_file:no/digipost/api/client/filters/response/ResponseSignatureInterceptor.class */
public class ResponseSignatureInterceptor implements HttpResponseInterceptor {
    public static final String NOT_SIGNED_RESPONSE = "NOT_SIGNED_RESPONSE";
    private final ApiService apiService;

    public ResponseSignatureInterceptor(ApiService apiService) {
        this.apiService = apiService;
    }

    @Override // org.apache.http.HttpResponseInterceptor
    public void process(HttpResponse httpResponse, HttpContext httpContext) {
        Boolean bool = (Boolean) httpContext.getAttribute(NOT_SIGNED_RESPONSE);
        if (bool == null || !bool.booleanValue()) {
            try {
                byte[] decode = Base64.decode(getServerSignaturFromResponse(httpResponse).getBytes());
                String canonicalResponseRepresentation = ResponseMessageSignatureUtil.getCanonicalResponseRepresentation(new ClientResponseToVerify(httpContext, httpResponse));
                Signature signature = Signature.getInstance("SHA256WithRSAEncryption");
                signature.initVerify(lastSertifikat());
                signature.update(canonicalResponseRepresentation.getBytes());
                if (signature.verify(decode)) {
                } else {
                    throw new DigipostClientException(ErrorCode.SERVER_SIGNATURE_ERROR, "Response from server did not match signature.");
                }
            } catch (Exception e) {
                if (!(e instanceof DigipostClientException)) {
                    throw new DigipostClientException(ErrorCode.SERVER_SIGNATURE_ERROR, "An exception occured during server response signature verification. " + e.getClass().getSimpleName() + ": " + e.getMessage(), e);
                }
                throw ((DigipostClientException) e);
            }
        }
    }

    private String getServerSignaturFromResponse(HttpResponse httpResponse) {
        String str = null;
        Header firstHeader = httpResponse.getFirstHeader(Headers.X_Digipost_Signature);
        if (firstHeader != null) {
            str = firstHeader.getValue();
        }
        if (StringUtils.isBlank(str)) {
            throw new DigipostClientException(ErrorCode.SERVER_SIGNATURE_ERROR, "Missing X-Digipost-Signature header. Signature from server could not be validated");
        }
        return str;
    }

    public X509Certificate lastSertifikat() {
        try {
            X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509", "BC").generateCertificate(new ByteArrayInputStream(this.apiService.getEntryPoint().getCertificate().getBytes()));
            if (x509Certificate == null) {
                throw new DigipostClientException(ErrorCode.SERVER_SIGNATURE_ERROR, "Unable to load Digipost's public key. Signature from server could not be validated");
            }
            return x509Certificate;
        } catch (GeneralSecurityException e) {
            throw new DigipostClientException(ErrorCode.SERVER_SIGNATURE_ERROR, "Unable to load Digipost's public key. Signature from server could not be validated");
        }
    }
}
