package de.governikus.panstar.sdk.soap.handler;

import de.bund.bsi.eid240.EID;
import de.governikus.panstar.sdk.soap.configuration.SoapConfiguration;
import de.governikus.panstar.sdk.soap.exception.SoapException;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Properties;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.xml.namespace.QName;
import javax.xml.ws.BindingProvider;
import javax.xml.ws.Service;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.cxf.configuration.jsse.TLSClientParameters;
import org.apache.cxf.frontend.ClientProxy;
import org.apache.cxf.transport.http.HTTPConduit;
import org.apache.wss4j.common.crypto.CryptoFactory;
import org.apache.wss4j.common.crypto.Merlin;
import org.apache.wss4j.common.crypto.PasswordEncryptor;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.util.Loader;

/* loaded from: input_file:de/governikus/panstar/sdk/soap/handler/WebServiceWrapper.class */
class WebServiceWrapper extends Service {
    private static final String SIGNATURE_USER = "client";
    private static final String SIGNATURE_PASSWORD = "virtualPassword";
    private final SoapConfiguration soapConfiguration;

    /* JADX INFO: Access modifiers changed from: package-private */
    public WebServiceWrapper(SoapConfiguration soapConfiguration) {
        super(WebServiceWrapper.class.getResource(Boolean.getBoolean("de.governikus.panstar.sdk.autentMode") ? "/wsdl/TR-03130eID-Server240-autent.wsdl" : "/wsdl/TR-03130eID-Server240.wsdl"), new QName("http://bsi.bund.de/eID/", "eID"));
        this.soapConfiguration = soapConfiguration;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public EID getEidPort() throws SoapException {
        BindingProvider bindingProvider = (EID) getPort(EID.class);
        BindingProvider bindingProvider2 = bindingProvider;
        bindingProvider2.getRequestContext().put("javax.xml.ws.service.endpoint.address", this.soapConfiguration.getSoapEidServerConfiguration().getSoapEndpointUrl());
        bindingProvider2.getRequestContext().put("security.signature.crypto", getSignatureCrypto());
        bindingProvider2.getRequestContext().put("security.signature.username", SIGNATURE_USER);
        bindingProvider2.getRequestContext().put("security.signature.password", SIGNATURE_PASSWORD);
        HTTPConduit conduit = ClientProxy.getClient(bindingProvider).getConduit();
        TLSClientParameters tLSClientParameters = new TLSClientParameters();
        tLSClientParameters.setTrustManagers(getTrustManager());
        tLSClientParameters.setKeyManagers(getKeyManager());
        conduit.setTlsClientParameters(tLSClientParameters);
        return bindingProvider;
    }

    private KeyManager[] getKeyManager() throws SoapException {
        try {
            KeyStore keyStore = KeyStore.getInstance("JKS");
            keyStore.load(null, SIGNATURE_PASSWORD.toCharArray());
            keyStore.setKeyEntry("clientTlsKey", this.soapConfiguration.getSoapKeyMaterial().getTlsClientKey(), SIGNATURE_PASSWORD.toCharArray(), (Certificate[]) ArrayUtils.toArray(new X509Certificate[]{this.soapConfiguration.getSoapKeyMaterial().getTlsClientCertificate()}));
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(keyStore, SIGNATURE_PASSWORD.toCharArray());
            return keyManagerFactory.getKeyManagers();
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException e) {
            throw new SoapException("Can not create key manager for tls client authentication", e);
        }
    }

    private TrustManager[] getTrustManager() throws SoapException {
        try {
            KeyStore keyStore = KeyStore.getInstance("JKS");
            keyStore.load(null, SIGNATURE_PASSWORD.toCharArray());
            keyStore.setCertificateEntry("serverTlsCertificate", this.soapConfiguration.getSoapKeyMaterial().getTlsServerCertificate());
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore);
            return trustManagerFactory.getTrustManagers();
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new SoapException("Can not create trust manager for tls client authentication", e);
        }
    }

    private Merlin getSignatureCrypto() throws SoapException {
        try {
            Merlin merlin = new Merlin(new Properties(), Loader.getClassLoader(CryptoFactory.class), (PasswordEncryptor) null);
            KeyStore signatureClientKeyStore = getSignatureClientKeyStore();
            signatureClientKeyStore.setCertificateEntry("server", this.soapConfiguration.getSoapKeyMaterial().getResponseSignatureValidationCertificate());
            merlin.setKeyStore(signatureClientKeyStore);
            return merlin;
        } catch (WSSecurityException | IOException | KeyStoreException e) {
            throw new SoapException("Can not create crypto provider for web service communication", (Throwable) e);
        }
    }

    private KeyStore getSignatureClientKeyStore() throws SoapException {
        try {
            KeyStore keyStore = KeyStore.getInstance("JKS");
            keyStore.load(null, SIGNATURE_PASSWORD.toCharArray());
            keyStore.setKeyEntry(SIGNATURE_USER, this.soapConfiguration.getSoapKeyMaterial().getRequestSignatureKey(), SIGNATURE_PASSWORD.toCharArray(), new Certificate[]{this.soapConfiguration.getSoapKeyMaterial().getRequestSignatureCertificate()});
            return keyStore;
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new SoapException("Can not create key store for soap signatures", e);
        }
    }
}
