package eu.unicore.security.dsig;

import java.io.StringWriter;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Security;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAPrivateKey;
import java.security.interfaces.RSAPrivateKey;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.Vector;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.dom.DOMCryptoContext;
import javax.xml.crypto.dom.DOMStructure;
import javax.xml.crypto.dsig.CanonicalizationMethod;
import javax.xml.crypto.dsig.DigestMethod;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.SignatureMethod;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureException;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.crypto.dsig.spec.DigestMethodParameterSpec;
import javax.xml.crypto.dsig.spec.SignatureMethodParameterSpec;
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.apache.jcp.xml.dsig.internal.dom.XMLDSigRI;
import org.apache.log4j.Logger;
import org.apache.xml.security.utils.Base64;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import xmlbeans.org.w3.x2000.x09.xmldsig.KeyInfoType;
import xmlbeans.org.w3.x2000.x09.xmldsig.X509DataType;

/* loaded from: input_file:eu/unicore/security/dsig/DigSignatureUtil.class */
public class DigSignatureUtil {
    private static final Logger log = Logger.getLogger("unicore.security.dsig." + DigSignatureUtil.class.getSimpleName());
    private XMLSignatureFactory fac;

    public DigSignatureUtil() throws DSigException {
        this.fac = null;
        try {
            Security.addProvider(new XMLDSigRI());
            this.fac = XMLSignatureFactory.getInstance("DOM", "ApacheXMLDSig");
            double version = this.fac.getProvider().getVersion();
            if (version < 1.5d) {
                log.error("xmlsec library is not properly configured, XML dsig will sometimes fail! Currently version " + version + " is used, while at least version 1.44 should be used. Most often this means that xmlsec-x.xx.jar is not in Java endorsed directory.");
            }
        } catch (Exception e) {
            throw new DSigException("Initialization of digital signature engine failed", e);
        }
    }

    public void genEnvelopedSignature(PrivateKey privateKey, PublicKey publicKey, X509Certificate[] x509CertificateArr, Document document, Node node, IdAttribute idAttribute) throws DSigException {
        try {
            genEnvelopedSignatureInternal(privateKey, publicKey, x509CertificateArr, document, node, idAttribute);
        } catch (Exception e) {
            throw new DSigException("Creation of enveloped signature failed", e);
        }
    }

    private void genEnvelopedSignatureInternal(PrivateKey privateKey, PublicKey publicKey, X509Certificate[] x509CertificateArr, Document document, Node node, IdAttribute idAttribute) throws MarshalException, XMLSignatureException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, KeyException, CertificateExpiredException, CertificateNotYetValidException {
        SignatureMethod newSignatureMethod;
        DigestMethod newDigestMethod = this.fac.newDigestMethod("http://www.w3.org/2000/09/xmldsig#sha1", (DigestMethodParameterSpec) null);
        Vector vector = new Vector();
        vector.add(this.fac.newTransform("http://www.w3.org/2000/09/xmldsig#enveloped-signature", (TransformParameterSpec) null));
        vector.add(this.fac.newTransform("http://www.w3.org/2001/10/xml-exc-c14n#", (TransformParameterSpec) null));
        CanonicalizationMethod newCanonicalizationMethod = this.fac.newCanonicalizationMethod("http://www.w3.org/2001/10/xml-exc-c14n#", (C14NMethodParameterSpec) null);
        if (privateKey instanceof RSAPrivateKey) {
            newSignatureMethod = this.fac.newSignatureMethod("http://www.w3.org/2000/09/xmldsig#rsa-sha1", (SignatureMethodParameterSpec) null);
        } else {
            if (!(privateKey instanceof DSAPrivateKey)) {
                throw new KeyException("Unsupported private key algorithm (must be DSA or RSA) :" + privateKey.getAlgorithm());
            }
            newSignatureMethod = this.fac.newSignatureMethod("http://www.w3.org/2000/09/xmldsig#dsa-sha1", (SignatureMethodParameterSpec) null);
        }
        Element documentElement = document.getDocumentElement();
        if (!documentElement.hasAttributeNS(idAttribute.getNamespace(), idAttribute.getLocalName())) {
            throw new IllegalArgumentException("The document to be signed doesn't contain the requested ID attribtue " + idAttribute);
        }
        String attributeNS = documentElement.getAttributeNS(idAttribute.getNamespace(), idAttribute.getLocalName());
        if (attributeNS != null) {
            attributeNS = "#" + attributeNS;
        }
        SignedInfo newSignedInfo = this.fac.newSignedInfo(newCanonicalizationMethod, newSignatureMethod, Collections.singletonList(this.fac.newReference(attributeNS, newDigestMethod, vector, (String) null, (String) null)));
        if (log.isTraceEnabled()) {
            log.trace("Will generate signature of a document:\n" + dumpDOMToString(document));
        }
        DOMSignContext dOMSignContext = node == null ? new DOMSignContext(privateKey, documentElement) : new DOMSignContext(privateKey, documentElement, node);
        dOMSignContext.setIdAttributeNS(documentElement, idAttribute.getNamespace(), idAttribute.getLocalName());
        dOMSignContext.putNamespacePrefix("http://www.w3.org/2000/09/xmldsig#", "dsig");
        KeyInfoFactory keyInfoFactory = this.fac.getKeyInfoFactory();
        Vector vector2 = new Vector();
        if (publicKey != null) {
            vector2.add(keyInfoFactory.newKeyValue(publicKey));
        }
        if (x509CertificateArr != null) {
            ArrayList arrayList = new ArrayList();
            for (X509Certificate x509Certificate : x509CertificateArr) {
                arrayList.add(x509Certificate);
            }
            vector2.add(keyInfoFactory.newX509Data(arrayList));
        }
        this.fac.newXMLSignature(newSignedInfo, vector2.size() > 0 ? keyInfoFactory.newKeyInfo(vector2) : null).sign(dOMSignContext);
        if (log.isTraceEnabled()) {
            log.trace("Signed document:\n" + dumpDOMToString(document));
        }
    }

    public boolean verifyEnvelopedSignature(Document document, List<Element> list, IdAttribute idAttribute, PublicKey publicKey) throws DSigException {
        try {
            return verifyEnvelopedSignatureInternal(document, list, idAttribute, publicKey);
        } catch (Exception e) {
            throw new DSigException("Verification of enveloped signature failed", e);
        }
    }

    private boolean verifyEnvelopedSignatureInternal(Document document, List<Element> list, IdAttribute idAttribute, PublicKey publicKey) throws MarshalException, XMLSignatureException {
        NodeList elementsByTagNameNS = document.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
        if (elementsByTagNameNS.getLength() == 0) {
            throw new XMLSignatureException("Document not signed");
        }
        return verifySignatureInternal(document, list, idAttribute, publicKey, elementsByTagNameNS.item(0));
    }

    public boolean verifyDetachedSignature(Document document, List<Element> list, IdAttribute idAttribute, PublicKey publicKey, Node node) throws DSigException {
        try {
            return verifySignatureInternal(document, list, idAttribute, publicKey, node);
        } catch (Exception e) {
            throw new DSigException("Verification of detached signature failed", e);
        }
    }

    private boolean verifySignatureInternal(Document document, List<Element> list, IdAttribute idAttribute, PublicKey publicKey, Node node) throws MarshalException, XMLSignatureException {
        if (log.isTraceEnabled()) {
            log.trace("Will verify signature of document:\n" + dumpDOMToString(document));
        }
        DOMValidateContext dOMValidateContext = new DOMValidateContext(publicKey, node);
        setResolverAttributes(dOMValidateContext, document.getDocumentElement(), idAttribute);
        XMLSignature unmarshalXMLSignature = this.fac.unmarshalXMLSignature(dOMValidateContext);
        boolean validate = unmarshalXMLSignature.validate(dOMValidateContext);
        if (!validate) {
            log.debug("Signature failed core validation");
        }
        if (!validate && log.isDebugEnabled()) {
            log.debug("signature validation status: " + unmarshalXMLSignature.getSignatureValue().validate(dOMValidateContext));
            int i = 0;
            for (Reference reference : unmarshalXMLSignature.getSignedInfo().getReferences()) {
                log.debug("ref[" + i + "] validity status: " + reference.validate(dOMValidateContext));
                log.debug("ref[" + i + "] digest: " + Base64.encode(reference.getDigestValue()));
                log.debug("ref[" + i + "] calculated digest: " + Base64.encode(reference.getCalculatedDigestValue()));
                i++;
            }
        }
        if (!validate) {
            return false;
        }
        if (checkCompletness(unmarshalXMLSignature.getSignedInfo().getReferences(), list, document, idAttribute)) {
            return true;
        }
        log.debug("Signature is correct but some of the required elements are not signed");
        return false;
    }

    public static KeyInfoType generateX509KeyInfo(X509Certificate[] x509CertificateArr) throws CertificateEncodingException {
        KeyInfoType newInstance = KeyInfoType.Factory.newInstance();
        X509DataType addNewX509Data = newInstance.addNewX509Data();
        for (X509Certificate x509Certificate : x509CertificateArr) {
            addNewX509Data.addNewX509Certificate().setByteArrayValue(x509Certificate.getEncoded());
        }
        return newInstance;
    }

    public List<?> getReferencesFromSignature(Node node) throws DSigException {
        try {
            return this.fac.unmarshalXMLSignature(new DOMStructure(node)).getSignedInfo().getReferences();
        } catch (MarshalException e) {
            throw new DSigException("Can't unmarshal signature", e);
        }
    }

    private void setResolverAttributes(DOMCryptoContext dOMCryptoContext, Element element, IdAttribute idAttribute) throws XMLSignatureException {
        checkElementForIdAttribute(dOMCryptoContext, element, idAttribute);
        NodeList childNodes = element.getChildNodes();
        for (int i = 0; i < childNodes.getLength(); i++) {
            Node item = childNodes.item(i);
            if (item instanceof Element) {
                setResolverAttributes(dOMCryptoContext, (Element) item, idAttribute);
            }
        }
    }

    private void checkElementForIdAttribute(DOMCryptoContext dOMCryptoContext, Element element, IdAttribute idAttribute) throws XMLSignatureException {
        if (element.hasAttributeNS(idAttribute.getNamespace(), idAttribute.getLocalName())) {
            String attributeNS = element.getAttributeNS(idAttribute.getNamespace(), idAttribute.getLocalName());
            if (dOMCryptoContext.getElementById(attributeNS) != null) {
                log.warn("The XML document contains more then one element with the same identifier " + attributeNS + ": " + element.getNodeName() + " and " + dOMCryptoContext.getElementById(attributeNS).getNodeName() + ". In case of signing this is a bug, in case of verification can mean that there is an XSW attack.");
                throw new XMLSignatureException("The XML document contains more then one element with the same identifier " + attributeNS + ": " + element.getNodeName() + " and " + dOMCryptoContext.getElementById(attributeNS).getNodeName() + ". In case of signing this is a bug, in case of verification can mean that there is an XSW attack.");
            }
            dOMCryptoContext.setIdAttributeNS(element, idAttribute.getNamespace(), idAttribute.getLocalName());
        }
    }

    public boolean checkCompletness(List<Reference> list, List<Element> list2, Document document, IdAttribute idAttribute) {
        HashSet hashSet = new HashSet();
        Iterator<Reference> it = list.iterator();
        while (it.hasNext()) {
            hashSet.add(it.next().getURI());
        }
        for (Element element : list2) {
            log.trace("Required part: " + element.getTagName());
            if (!checkIfNodeSigned(hashSet, element, idAttribute)) {
                return false;
            }
        }
        return true;
    }

    private boolean checkIfNodeSigned(Set<String> set, Element element, IdAttribute idAttribute) {
        if (!element.hasAttributeNS(idAttribute.getNamespace(), idAttribute.getLocalName())) {
            log.debug("Assuming that element {" + element.getNamespaceURI() + "}" + element.getLocalName() + " is not signed as it doesn't have id attribute");
            return false;
        }
        String str = "#" + element.getAttributeNS(idAttribute.getNamespace(), idAttribute.getLocalName());
        if (set.contains(str)) {
            return true;
        }
        log.warn("Didn't find among signed references a required element: {" + element.getNamespaceURI() + "}" + element.getLocalName() + " with id " + str);
        return false;
    }

    public static String dumpDOMToString(Element element) {
        return dumpNodeToString(element);
    }

    public static String dumpDOMToString(Document document) {
        return dumpNodeToString(document);
    }

    private static String dumpNodeToString(Node node) {
        try {
            Transformer newTransformer = TransformerFactory.newInstance().newTransformer();
            StringWriter stringWriter = new StringWriter();
            newTransformer.transform(new DOMSource(node), new StreamResult(stringWriter));
            return stringWriter.toString();
        } catch (TransformerException e) {
            log.warn("Can't serialize DOM Document to String: " + e);
            return null;
        }
    }
}
