package no.digipost.api.client.filters.response;

import com.sun.jersey.api.client.ClientHandlerException;
import com.sun.jersey.api.client.ClientRequest;
import com.sun.jersey.api.client.ClientResponse;
import com.sun.jersey.api.client.filter.ClientFilter;
import com.sun.jersey.core.util.Base64;
import java.io.ByteArrayInputStream;
import java.security.GeneralSecurityException;
import java.security.Signature;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import no.digipost.api.client.ApiService;
import no.digipost.api.client.DigipostClient;
import no.digipost.api.client.DigipostClientException;
import no.digipost.api.client.ErrorType;
import no.digipost.api.client.EventLogger;
import no.digipost.api.client.Headers;
import no.digipost.api.client.security.ClientResponseToVerify;
import no.digipost.api.client.security.ResponseMessageSignatureUtil;
import org.apache.commons.lang3.StringUtils;

/* loaded from: input_file:no/digipost/api/client/filters/response/ResponseSignatureFilter.class */
public class ResponseSignatureFilter extends ClientFilter {
    private final EventLogger eventLogger;
    private final ApiService apiService;

    public ResponseSignatureFilter(ApiService apiService) {
        this(DigipostClient.NOOP_EVENT_LOGGER, apiService);
    }

    public ResponseSignatureFilter(EventLogger eventLogger, ApiService apiService) {
        this.eventLogger = eventLogger;
        this.apiService = apiService;
    }

    public ClientResponse handle(ClientRequest clientRequest) throws ClientHandlerException {
        ClientResponse handle = getNext().handle(clientRequest);
        if ("/".equals(clientRequest.getURI().getPath())) {
            this.eventLogger.log("Verifiserer ikke signatur fordi det er rotressurs vi hentet.");
            return handle;
        }
        String serverSignaturFromResponse = getServerSignaturFromResponse(handle);
        byte[] decode = Base64.decode(serverSignaturFromResponse.getBytes());
        String canonicalResponseRepresentation = ResponseMessageSignatureUtil.getCanonicalResponseRepresentation(new ClientResponseToVerify(clientRequest, handle));
        try {
            Signature signature = Signature.getInstance("SHA256WithRSAEncryption");
            signature.initVerify(lastSertifikat());
            signature.update(canonicalResponseRepresentation.getBytes());
            if (!signature.verify(decode)) {
                throw new DigipostClientException(ErrorType.SERVER_SIGNATURE_ERROR, "Melding fra server matcher ikke signatur.");
            }
            this.eventLogger.log("Verifiserte signert respons fra Digipost. Signatur fra HTTP-headeren X-Digipost-Signature var OK: " + new String(serverSignaturFromResponse));
            return handle;
        } catch (Exception e) {
            throw new DigipostClientException(ErrorType.SERVER_SIGNATURE_ERROR, "Det skjedde en feil under signatursjekk.");
        }
    }

    private String getServerSignaturFromResponse(ClientResponse clientResponse) {
        String str = (String) clientResponse.getHeaders().getFirst(Headers.X_Digipost_Signature);
        if (StringUtils.isBlank(str)) {
            throw new DigipostClientException(ErrorType.SERVER_SIGNATURE_ERROR, "Mangler signatur-header, så server-signatur kunne ikke sjekkes");
        }
        return str;
    }

    public X509Certificate lastSertifikat() {
        try {
            X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509", "BC").generateCertificate(new ByteArrayInputStream(this.apiService.getEntryPoint().getCertificate().getBytes()));
            if (x509Certificate == null) {
                throw new DigipostClientException(ErrorType.SERVER_SIGNATURE_ERROR, "Kunne ikke laste Digipost's public key, så server-signatur kunne ikke sjekkes");
            }
            return x509Certificate;
        } catch (GeneralSecurityException e) {
            throw new DigipostClientException(ErrorType.SERVER_SIGNATURE_ERROR, "Kunne ikke laste Digipost's public key, så server-signatur kunne ikke sjekkes");
        }
    }
}
