package org.apache.cxf.rs.security.xml;

import java.io.InputStream;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException;
import javax.xml.stream.XMLStreamReader;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.rs.security.common.CryptoLoader;
import org.apache.cxf.rs.security.common.RSSecurityUtils;
import org.apache.cxf.rs.security.common.TrustValidator;
import org.apache.cxf.rt.security.SecurityConstants;
import org.apache.cxf.rt.security.utils.SecurityUtils;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.staxutils.W3CDOMStreamReader;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.signature.Reference;
import org.apache.xml.security.signature.SignedInfo;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.transforms.Transform;
import org.apache.xml.security.transforms.Transforms;
import org.apache.xml.security.utils.Constants;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:BOOT-INF/lib/cxf-rt-rs-security-xml-3.2.0.jar:org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.class */
public class AbstractXmlSigInHandler extends AbstractXmlSecInHandler {
    private SignatureProperties sigProps;
    private boolean removeSignature = true;
    private boolean persistSignature = true;
    private boolean keyInfoMustBeAvailable = true;
    private final Collection<Pattern> subjectDNPatterns = new ArrayList();

    public void setRemoveSignature(boolean z) {
        this.removeSignature = z;
    }

    public void setPersistSignature(boolean z) {
        this.persistSignature = z;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkSignature(Message message) {
        String str;
        String str2;
        Document document = getDocument(message);
        if (document == null) {
            return;
        }
        Element documentElement = document.getDocumentElement();
        Element signatureElement = getSignatureElement(documentElement);
        if (signatureElement == null) {
            throwFault("XML Signature is not available", null);
        }
        if (RSSecurityUtils.isSignedAndEncryptedTwoWay(message)) {
            str = SecurityConstants.ENCRYPT_CRYPTO;
            str2 = SecurityConstants.ENCRYPT_PROPERTIES;
        } else {
            str = SecurityConstants.SIGNATURE_CRYPTO;
            str2 = SecurityConstants.SIGNATURE_PROPERTIES;
        }
        Crypto crypto = null;
        try {
            crypto = new CryptoLoader().getCrypto(message, str, str2);
        } catch (Exception e) {
            throwFault("Crypto can not be loaded", e);
        }
        boolean z = false;
        Reference reference = null;
        try {
            XMLSignature xMLSignature = new XMLSignature(signatureElement, "", true);
            if (this.sigProps != null) {
                SignedInfo signedInfo = xMLSignature.getSignedInfo();
                if (this.sigProps.getSignatureAlgo() != null && !this.sigProps.getSignatureAlgo().equals(signedInfo.getSignatureMethodURI())) {
                    throwFault("Signature Algorithm is not supported", null);
                }
                if (this.sigProps.getSignatureC14nMethod() != null && !this.sigProps.getSignatureC14nMethod().equals(signedInfo.getCanonicalizationMethodURI())) {
                    throwFault("Signature C14n Algorithm is not supported", null);
                }
            }
            reference = getReference(xMLSignature);
            Element validateReference = validateReference(documentElement, reference);
            if (validateReference.hasAttributeNS(null, "ID")) {
                validateReference.setIdAttributeNS(null, "ID", true);
            }
            if (validateReference.hasAttributeNS(null, "Id")) {
                validateReference.setIdAttributeNS(null, "Id", true);
            }
            X509Certificate x509Certificate = null;
            PublicKey publicKey = null;
            KeyInfo keyInfo = xMLSignature.getKeyInfo();
            if (keyInfo != null) {
                x509Certificate = keyInfo.getX509Certificate();
                if (x509Certificate != null) {
                    z = xMLSignature.checkSignatureValue(x509Certificate);
                } else {
                    publicKey = keyInfo.getPublicKey();
                    if (publicKey != null) {
                        z = xMLSignature.checkSignatureValue(publicKey);
                    }
                }
            } else if (!this.keyInfoMustBeAvailable) {
                x509Certificate = RSSecurityUtils.getCertificates(crypto, getUserName(crypto, message))[0];
                publicKey = x509Certificate.getPublicKey();
                z = xMLSignature.checkSignatureValue(x509Certificate);
            }
            new TrustValidator().validateTrust(crypto, x509Certificate, publicKey, getSubjectContraints(message));
            if (z && this.persistSignature) {
                if (xMLSignature.getKeyInfo() != null) {
                    message.put(AbstractXmlSecInHandler.SIGNING_CERT, xMLSignature.getKeyInfo().getX509Certificate());
                }
                if (xMLSignature.getKeyInfo() != null) {
                    message.put(AbstractXmlSecInHandler.SIGNING_PUBLIC_KEY, xMLSignature.getKeyInfo().getPublicKey());
                }
                message.setContent(Element.class, validateReference);
            }
        } catch (Exception e2) {
            throwFault("Signature validation failed", e2);
        }
        if (!z) {
            throwFault("Signature validation failed", null);
        }
        if (this.removeSignature) {
            if (isEnveloping(documentElement)) {
                Element actualBody = getActualBody(documentElement);
                DOMUtils.createDocument().adoptNode(actualBody);
                documentElement = actualBody;
            } else {
                getSignedElement(documentElement, reference).removeAttribute("ID");
                documentElement.removeChild(signatureElement);
            }
        }
        message.setContent(XMLStreamReader.class, new W3CDOMStreamReader(documentElement));
        message.setContent(InputStream.class, null);
    }

    protected String getUserName(Crypto crypto, Message message) {
        SecurityContext securityContext = (SecurityContext) message.get(SecurityContext.class);
        return (securityContext == null || securityContext.getUserPrincipal() == null) ? RSSecurityUtils.getUserName(crypto, null) : securityContext.getUserPrincipal().getName();
    }

    private Element getActualBody(Element element) {
        Element node = getNode(element, "http://www.w3.org/2000/09/xmldsig#", Constants._TAG_OBJECT, 0);
        if (node == null) {
            throwFault("Object envelope is not available", null);
        }
        Element firstElement = DOMUtils.getFirstElement(node);
        if (firstElement == null) {
            throwFault("No signed data is found", null);
        }
        return firstElement;
    }

    private Element getSignatureElement(Element element) {
        return isEnveloping(element) ? element : DOMUtils.getFirstChildWithName(element, "http://www.w3.org/2000/09/xmldsig#", "Signature");
    }

    protected boolean isEnveloping(Element element) {
        return "http://www.w3.org/2000/09/xmldsig#".equals(element.getNamespaceURI()) && "Signature".equals(element.getLocalName());
    }

    protected Reference getReference(XMLSignature xMLSignature) {
        if (xMLSignature.getSignedInfo().getLength() != 1) {
            throwFault("Multiple Signature References are not currently supported", null);
        }
        try {
            return xMLSignature.getSignedInfo().item(0);
        } catch (XMLSecurityException e) {
            throwFault("Signature Reference is not available", e);
            return null;
        }
    }

    protected Element validateReference(Element element, Reference reference) {
        Element firstChildWithName;
        boolean z = false;
        String uri = reference.getURI();
        if (!uri.startsWith("#") || uri.length() <= 1) {
            throwFault("Only local Signature References are supported", null);
        }
        Element signedElement = getSignedElement(element, reference);
        if (signedElement != null) {
            z = signedElement == element;
        } else {
            throwFault("Signature Reference ID is invalid", null);
        }
        Transforms transforms = null;
        try {
            transforms = reference.getTransforms();
        } catch (XMLSecurityException e) {
            throwFault("Signature transforms can not be obtained", e);
        }
        boolean z2 = false;
        String signatureC14nTransform = this.sigProps != null ? this.sigProps.getSignatureC14nTransform() : null;
        boolean z3 = false;
        for (int i = 0; i < transforms.getLength(); i++) {
            try {
                Transform item = transforms.item(i);
                if ("http://www.w3.org/2000/09/xmldsig#enveloped-signature".equals(item.getURI())) {
                    z3 = true;
                } else if (signatureC14nTransform != null && signatureC14nTransform.equals(item.getURI())) {
                    z2 = true;
                }
            } catch (Exception e2) {
                throwFault("Problem accessing Transform instance", e2);
            }
        }
        if (z && !z3) {
            throwFault("Only enveloped signatures are currently supported", null);
        }
        if (signatureC14nTransform != null && !z2) {
            throwFault("Transform Canonicalization is not supported", null);
        }
        if (this.sigProps != null && this.sigProps.getSignatureDigestAlgo() != null && (firstChildWithName = DOMUtils.getFirstChildWithName(reference.getElement(), "http://www.w3.org/2000/09/xmldsig#", "DigestMethod")) != null && !firstChildWithName.getAttribute("Algorithm").equals(this.sigProps.getSignatureDigestAlgo())) {
            throwFault("Signature Digest Algorithm is not supported", null);
        }
        return signedElement;
    }

    private Element getSignedElement(Element element, Reference reference) {
        String attribute = element.getAttribute("ID");
        String substring = reference.getURI().substring(1);
        return !substring.equals(attribute) ? XMLUtils.findElementById(element, substring, true) : element;
    }

    public void setSignatureProperties(SignatureProperties signatureProperties) {
        this.sigProps = signatureProperties;
    }

    public void setKeyInfoMustBeAvailable(boolean z) {
        this.keyInfoMustBeAvailable = z;
    }

    public void setSubjectConstraints(List<String> list) {
        if (list != null) {
            this.subjectDNPatterns.clear();
            Iterator<String> it = list.iterator();
            while (it.hasNext()) {
                try {
                    this.subjectDNPatterns.add(Pattern.compile(it.next().trim()));
                } catch (PatternSyntaxException e) {
                    throw e;
                }
            }
        }
    }

    private Collection<Pattern> getSubjectContraints(Message message) throws PatternSyntaxException {
        String[] split;
        String str = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.SUBJECT_CERT_CONSTRAINTS, message);
        if (str != null && (split = str.split(",")) != null) {
            this.subjectDNPatterns.clear();
            for (String str2 : split) {
                this.subjectDNPatterns.add(Pattern.compile(str2.trim()));
            }
        }
        return this.subjectDNPatterns;
    }
}
