package de.fhg.aisec.ids.comm.ws.protocol.rat;

import com.google.protobuf.MessageLite;
import de.fhg.aisec.ids.api.conm.RatResult;
import de.fhg.aisec.ids.comm.ByteArrayUtil;
import de.fhg.aisec.ids.messages.AttestationProtos;
import de.fhg.aisec.ids.messages.Idscp;
import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.URI;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.nio.file.FileSystems;
import java.nio.file.Files;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Base64;
import java.util.Random;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import tss.tpm.TPMS_ATTEST;
import tss.tpm.TPMT_SIGNATURE;
import tss.tpm.TPM_ALG_ID;

/* loaded from: input_file:de/fhg/aisec/ids/comm/ws/protocol/rat/RemoteAttestationHandler.class */
public class RemoteAttestationHandler {
    public static final String CONTROL_SOCKET = "/var/run/tpm2d/control.sock";
    protected static final Logger LOG = LoggerFactory.getLogger(RemoteAttestationClientHandler.class);
    static String lastError = "";
    private static long privateID = new Random().nextLong();
    boolean mySuccess = false;
    boolean yourSuccess = false;
    Tpm2dSocket tpm2dSocket;

    /* JADX INFO: Access modifiers changed from: package-private */
    public RemoteAttestationHandler() {
        try {
            this.tpm2dSocket = new Tpm2dSocket(System.getenv("TPM_HOST") != null ? System.getenv("TPM_HOST") : "localhost");
        } catch (IOException e) {
            lastError = "Could not create Tpm2dSocket. No TPM present?";
            LOG.warn(lastError);
        }
    }

    public RatResult handleAttestationResult(Idscp.AttestationResult attestationResult) {
        this.yourSuccess = attestationResult.getResult();
        LOG.debug("your success: {}    my success: {}", Boolean.valueOf(this.yourSuccess), Boolean.valueOf(this.mySuccess));
        return !this.mySuccess ? new RatResult(RatResult.Status.FAILED, "Could not verify") : !this.yourSuccess ? new RatResult(RatResult.Status.FAILED, "Remote party did not verify successfully") : new RatResult(RatResult.Status.SUCCESS, (String) null);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean checkRepository(AttestationProtos.IdsAttestationType idsAttestationType, Idscp.AttestationResponse attestationResponse, URI uri) {
        if (idsAttestationType == null || attestationResponse == null || uri == null) {
            return false;
        }
        try {
            Idscp.ConnectorMessage readRepositoryResponse = readRepositoryResponse(Idscp.ConnectorMessage.newBuilder().setId(privateID).setType(Idscp.ConnectorMessage.Type.RAT_REPO_REQUEST).setAttestationRepositoryRequest(Idscp.AttestationRepositoryRequest.newBuilder().setAtype(idsAttestationType).addAllPcrValues(attestationResponse.getPcrValuesList()).build()).build(), uri.toURL());
            LOG.debug("//Q///////////////////////////////////////////////////////////////////////////");
            LOG.debug(attestationResponse.toString());
            LOG.debug("//A///////////////////////////////////////////////////////////////////////////");
            LOG.debug(readRepositoryResponse.toString());
            LOG.debug("/////////////////////////////////////////////////////////////////////////////");
            if (readRepositoryResponse.getAttestationRepositoryResponse().getResult() && readRepositoryResponse.getId() == privateID + 1) {
                if (readRepositoryResponse.getType().equals(Idscp.ConnectorMessage.Type.RAT_REPO_RESPONSE)) {
                    return true;
                }
            }
            return false;
        } catch (Exception e) {
            lastError = "Exception: " + e.getMessage();
            LOG.error("Exception in checkRepository(): ", e);
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] calculateHash(byte[] bArr, Certificate certificate) {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
            messageDigest.update(bArr);
            if (certificate != null) {
                messageDigest.update(certificate.getEncoded());
            } else {
                LOG.warn("No client certificate available. Cannot bind nonce to public key to prevent masquerading attack. TLS misconfiguration!");
            }
            return messageDigest.digest();
        } catch (Exception e) {
            LOG.error("Could not create hash of own nonce and local certificate", e);
            return bArr;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean checkSignature(Idscp.AttestationResponse attestationResponse, byte[] bArr) {
        int i;
        byte[] bArr2;
        byte[] byteArray = attestationResponse.getSignature().toByteArray();
        byte[] byteArray2 = attestationResponse.getCertificate().toByteArray();
        byte[] byteArray3 = attestationResponse.getQuoted().toByteArray();
        if (LOG.isDebugEnabled()) {
            LOG.debug("signature: {}", ByteArrayUtil.toPrintableHexString(byteArray));
            LOG.debug("cert: {}", ByteArrayUtil.toPrintableHexString(byteArray2));
            LOG.debug("quoted: {}", ByteArrayUtil.toPrintableHexString(byteArray3));
        }
        if (byteArray.length == 0 || byteArray2.length == 0 || byteArray3.length == 0) {
            LOG.warn("Some required part (signature, cert or quoted) is empty!");
            return false;
        }
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            try {
                BufferedReader newBufferedReader = Files.newBufferedReader(FileSystems.getDefault().getPath("etc", "rootca-cert.pem"), StandardCharsets.US_ASCII);
                try {
                    StringBuilder sb = new StringBuilder();
                    for (String readLine = newBufferedReader.readLine(); readLine != null; readLine = newBufferedReader.readLine()) {
                        if (!readLine.startsWith("-")) {
                            sb.append(readLine.trim());
                        }
                    }
                    X509Certificate x509Certificate = (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(Base64.getDecoder().decode(sb.toString())));
                    if (newBufferedReader != null) {
                        newBufferedReader.close();
                    }
                    X509Certificate x509Certificate2 = (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(byteArray2));
                    try {
                        x509Certificate2.verify(x509Certificate.getPublicKey());
                        try {
                            TPMT_SIGNATURE fromTpm = TPMT_SIGNATURE.fromTpm(byteArray);
                            try {
                                byte[] bArr3 = TPMS_ATTEST.fromTpm(byteArray3).extraData;
                                if (!Arrays.equals(bArr3, bArr)) {
                                    if (!LOG.isWarnEnabled()) {
                                        return false;
                                    }
                                    LOG.warn("The hash (extra data) in TPMS_ATTEST structure is invalid!\nextra data: {}\nhash: {}", ByteArrayUtil.toPrintableHexString(bArr3), ByteArrayUtil.toPrintableHexString(bArr));
                                    return false;
                                }
                                int GetUnionSelector_signature = fromTpm.GetUnionSelector_signature();
                                if (GetUnionSelector_signature == TPM_ALG_ID.RSAPSS.toInt()) {
                                    i = fromTpm.signature.hash.toInt();
                                    bArr2 = fromTpm.signature.sig;
                                } else {
                                    if (GetUnionSelector_signature != TPM_ALG_ID.RSASSA.toInt()) {
                                        throw new Exception("Unknown or unimplemented signature scheme: " + fromTpm.signature.getClass());
                                    }
                                    i = fromTpm.signature.hash.toInt();
                                    bArr2 = fromTpm.signature.sig;
                                }
                                if (i != TPM_ALG_ID.SHA256.toInt()) {
                                    throw new Exception("Only SHA256withRSA TPM signature hash algorithm is allowed!");
                                }
                                Signature signature = Signature.getInstance("SHA256withRSA");
                                signature.initVerify(x509Certificate2.getPublicKey());
                                signature.update(byteArray3);
                                boolean verify = signature.verify(bArr2);
                                if (!verify && LOG.isWarnEnabled()) {
                                    LOG.warn("Attestation signature invalid!");
                                }
                                return verify;
                            } catch (Exception e) {
                                LOG.warn("Could not create a TPMS_ATTEST from bytes:\n" + ByteArrayUtil.toPrintableHexString(byteArray3), e);
                                return false;
                            }
                        } catch (Exception e2) {
                            LOG.warn("Could not create a TPMT_SIGNATURE from bytes:\n" + ByteArrayUtil.toPrintableHexString(byteArray), e2);
                            return false;
                        }
                    } catch (Exception e3) {
                        LOG.error("TPM certificate is invalid", e3);
                        return false;
                    }
                } catch (Throwable th) {
                    if (newBufferedReader != null) {
                        try {
                            newBufferedReader.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Exception e4) {
                LOG.error("Error parsing root certificate", e4);
                return false;
            }
        } catch (Exception e5) {
            LOG.warn("Error during attestation validation", e5);
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static MessageLite sendError(long j, String str) {
        if (str == null) {
            str = "";
        }
        return Idscp.ConnectorMessage.newBuilder().setId(j).setType(Idscp.ConnectorMessage.Type.ERROR).setError(Idscp.Error.newBuilder().setErrorCode("").setErrorMessage(str).build()).build();
    }

    private static Idscp.ConnectorMessage readRepositoryResponse(Idscp.ConnectorMessage connectorMessage, URL url) throws IOException, GeneralSecurityException {
        HttpsURLConnection httpsURLConnection = (HttpsURLConnection) url.openConnection();
        SSLContext sSLContext = SSLContext.getInstance("TLSv1.2");
        sSLContext.init(null, null, null);
        httpsURLConnection.setSSLSocketFactory(sSLContext.getSocketFactory());
        httpsURLConnection.setUseCaches(false);
        httpsURLConnection.setDoInput(true);
        httpsURLConnection.setDoOutput(true);
        httpsURLConnection.setRequestMethod("POST");
        httpsURLConnection.setRequestProperty("Accept", "application/x-protobuf");
        httpsURLConnection.setRequestProperty("Content-Type", "application/x-protobuf");
        httpsURLConnection.setRequestProperty("User-Agent", "IDS-Connector");
        httpsURLConnection.setRequestProperty("Content-length", String.valueOf(connectorMessage.toByteArray().length));
        connectorMessage.writeTo(httpsURLConnection.getOutputStream());
        return Idscp.ConnectorMessage.newBuilder().mergeFrom(httpsURLConnection.getInputStream()).build();
    }
}
