package org.nhindirect.stagent.trust;

import com.google.inject.Inject;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import org.nhindirect.stagent.AgentError;
import org.nhindirect.stagent.AgentException;
import org.nhindirect.stagent.CryptoExtensions;
import org.nhindirect.stagent.DefaultMessageSignatureImpl;
import org.nhindirect.stagent.IncomingMessage;
import org.nhindirect.stagent.NHINDAddress;
import org.nhindirect.stagent.OutgoingMessage;
import org.nhindirect.stagent.cert.SignerCertPair;

/* loaded from: input_file:org/nhindirect/stagent/trust/TrustModel.class */
public class TrustModel {
    public static final TrustModel Default = new TrustModel();
    private final TrustChainValidator certChainValidator;

    public TrustModel() {
        this.certChainValidator = new TrustChainValidator();
    }

    @Inject
    public TrustModel(TrustChainValidator trustChainValidator) {
        this.certChainValidator = trustChainValidator;
    }

    public TrustChainValidator getCertChainValidator() {
        return this.certChainValidator;
    }

    public void enforce(IncomingMessage incomingMessage) {
        if (incomingMessage == null) {
            throw new IllegalArgumentException();
        }
        if (!incomingMessage.hasSignatures()) {
            throw new AgentException(AgentError.UntrustedMessage);
        }
        findSenderSignatures(incomingMessage);
        if (!incomingMessage.hasSenderSignatures()) {
            throw new AgentException(AgentError.MissingSenderSignature);
        }
        Iterator<NHINDAddress> it = incomingMessage.getDomainRecipients().iterator();
        while (it.hasNext()) {
            NHINDAddress next = it.next();
            next.setStatus(TrustEnforcementStatus.Failed);
            DefaultMessageSignatureImpl findTrustedSignature = findTrustedSignature(incomingMessage, next.getTrustAnchors());
            if (findTrustedSignature != null) {
                next.setStatus(findTrustedSignature.isThumbprintVerified() ? TrustEnforcementStatus.Success : TrustEnforcementStatus.Success_ThumbprintMismatch);
            }
        }
    }

    public void enforce(OutgoingMessage outgoingMessage) {
        if (outgoingMessage == null) {
            throw new IllegalArgumentException();
        }
        NHINDAddress sender = outgoingMessage.getSender();
        Iterator<NHINDAddress> it = outgoingMessage.getRecipients().iterator();
        while (it.hasNext()) {
            NHINDAddress next = it.next();
            next.setStatus(TrustEnforcementStatus.Failed);
            next.setCertificates(findTrustedCerts(next.getCertificates(), sender.getTrustAnchors()));
            if (next.hasCertificates()) {
                next.setStatus(TrustEnforcementStatus.Success);
            }
        }
    }

    protected Collection<X509Certificate> findTrustedCerts(Collection<X509Certificate> collection, Collection<X509Certificate> collection2) {
        if (collection == null) {
            return null;
        }
        ArrayList arrayList = null;
        for (X509Certificate x509Certificate : collection) {
            if (this.certChainValidator.isTrusted(x509Certificate, collection2)) {
                if (arrayList == null) {
                    arrayList = new ArrayList();
                }
                arrayList.add(x509Certificate);
            }
        }
        return arrayList;
    }

    protected void findSenderSignatures(IncomingMessage incomingMessage) {
        incomingMessage.setSenderSignatures(null);
        NHINDAddress sender = incomingMessage.getSender();
        ArrayList arrayList = new ArrayList();
        Collection<SignerCertPair> findSignersByName = CryptoExtensions.findSignersByName(incomingMessage.getSignature(), sender.getAddress(), null);
        Collection<SignerCertPair> findSignersByName2 = CryptoExtensions.findSignersByName(incomingMessage.getSignature(), sender.getHost(), Arrays.asList(sender.getAddress()));
        for (SignerCertPair signerCertPair : findSignersByName) {
            arrayList.add(new DefaultMessageSignatureImpl(signerCertPair.getSigner(), false, signerCertPair.getCertificate()));
        }
        for (SignerCertPair signerCertPair2 : findSignersByName2) {
            arrayList.add(new DefaultMessageSignatureImpl(signerCertPair2.getSigner(), true, signerCertPair2.getCertificate()));
        }
        incomingMessage.setSenderSignatures(arrayList);
    }

    protected DefaultMessageSignatureImpl findTrustedSignature(IncomingMessage incomingMessage, Collection<X509Certificate> collection) {
        NHINDAddress sender = incomingMessage.getSender();
        DefaultMessageSignatureImpl defaultMessageSignatureImpl = null;
        Iterator<DefaultMessageSignatureImpl> it = incomingMessage.getSenderSignatures().iterator();
        while (it.hasNext()) {
            DefaultMessageSignatureImpl next = it.next();
            if (this.certChainValidator.isTrusted(next.getSignerCert(), collection) && next.checkSignature()) {
                if (sender.hasCertificates() && !next.checkThumbprint(sender)) {
                    defaultMessageSignatureImpl = next;
                }
                return next;
            }
        }
        return defaultMessageSignatureImpl;
    }
}
