package org.openecard.control.module.tctoken;

import java.net.MalformedURLException;
import java.net.URL;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import org.openecard.bouncycastle.crypto.tls.Certificate;
import org.openecard.common.DynamicContext;
import org.openecard.common.I18n;
import org.openecard.common.TR03112Keys;
import org.openecard.common.util.Promise;
import org.openecard.common.util.TR03112Utils;
import org.openecard.control.ControlException;
import org.openecard.control.module.tctoken.CertificateVerifier;
import org.openecard.crypto.common.asn1.cvc.CertificateDescription;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/openecard/control/module/tctoken/RedirectCertificateVerifier.class */
public class RedirectCertificateVerifier implements CertificateVerifier {
    private static final Logger logger = LoggerFactory.getLogger(RedirectCertificateVerifier.class);
    private final boolean redirectChecks;
    private final I18n lang = I18n.getTranslation("tctoken");
    private final Promise<Object> descPromise = DynamicContext.getInstance(TR03112Keys.INSTANCE_KEY).getPromise(TR03112Keys.ESERVICE_CERTIFICATE_DESC);
    private boolean firstInvocation = true;
    private boolean lastRedirect = false;

    public RedirectCertificateVerifier(boolean z) {
        this.redirectChecks = z;
    }

    @Override // org.openecard.control.module.tctoken.CertificateVerifier
    public CertificateVerifier.VerifierResult verify(URL url, Certificate certificate) {
        try {
            if (!this.redirectChecks) {
                return CertificateVerifier.VerifierResult.FINISH;
            }
            try {
                CertificateDescription certificateDescription = (CertificateDescription) this.descPromise.deref(60L, TimeUnit.SECONDS);
                if (!TR03112Utils.isInCommCertificates(certificate, certificateDescription.getCommCertificates())) {
                    logger.error("The retrieved server certificate is NOT contained in the CommCertificates of the CertificateDescription extension of the eService certificate.");
                    throw new ControlException(this.lang.translationForKey("invalid_redirect", new Object[0]));
                }
                if (!TR03112Utils.checkSameOriginPolicy(url, new URL(certificateDescription.getSubjectURL()))) {
                    this.firstInvocation = false;
                    return CertificateVerifier.VerifierResult.CONTINE;
                }
                if (!this.firstInvocation && !this.lastRedirect) {
                    this.lastRedirect = true;
                    return CertificateVerifier.VerifierResult.CONTINE;
                }
                return CertificateVerifier.VerifierResult.FINISH;
            } catch (InterruptedException e) {
                logger.error("Couldn't retrieve the CertificateDescription from the DynamicContext.");
                throw new ControlException("Couldn't retrieve the CertificateDescription from the DynamicContext.");
            } catch (TimeoutException e2) {
                logger.error("Couldn't retrieve the CertificateDescription from the DynamicContext.");
                throw new ControlException("Couldn't retrieve the CertificateDescription from the DynamicContext.");
            }
        } catch (MalformedURLException e3) {
            throw new ControlException("Failed to convert SubjectURL to URL class.", e3);
        }
    }
}
