package org.spin.tools.crypto;

import java.io.ByteArrayInputStream;
import java.math.BigInteger;
import java.security.Provider;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import javax.xml.bind.JAXBException;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.XMLStructure;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.XMLSignatureException;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.keyinfo.X509IssuerSerial;
import org.apache.log4j.Logger;
import org.apache.xml.security.utils.Constants;
import org.spin.tools.ClassTools;
import org.spin.tools.DynamicLoadingException;
import org.spin.tools.JAXBUtils;
import org.spin.tools.Maybe;
import org.spin.tools.Util;
import org.spin.tools.crypto.signature.Identity;
import org.spin.tools.crypto.signature.Signable;
import org.spin.tools.crypto.signature.Signature;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* loaded from: input_file:org/spin/tools/crypto/XMLSignatureUtil.class */
public final class XMLSignatureUtil {
    private final String providerName;
    private final boolean attachPublicKeyToSignatures;
    private final PKITool pkiTool;
    private static XMLSignatureUtil defaultInstance;
    private static final Logger log = Logger.getLogger(XMLSignatureUtil.class);
    private static final boolean DEBUG = log.isDebugEnabled();
    private static final Object lock = new Object();

    /* loaded from: input_file:org/spin/tools/crypto/XMLSignatureUtil$SignerStrategy.class */
    public enum SignerStrategy {
        AttachSigningKey,
        DoNotAttachSigningKey
    }

    private XMLSignatureUtil() {
        this(PKITool.getInstance());
    }

    public XMLSignatureUtil(PKITool pKITool) {
        this.providerName = System.getProperty("jsr105Provider", "org.jcp.xml.dsig.internal.dom.XMLDSigRI");
        Util.guardNotNull(pKITool);
        this.pkiTool = pKITool;
        this.attachPublicKeyToSignatures = pKITool.getConfig().getAttachCertificateToSignature();
    }

    private static void initDefaultInstanceIfNecessary() {
        synchronized (lock) {
            if (defaultInstance == null) {
                defaultInstance = new XMLSignatureUtil();
            }
        }
    }

    public static final XMLSignatureUtil getDefaultInstance() {
        XMLSignatureUtil xMLSignatureUtil;
        synchronized (lock) {
            initDefaultInstanceIfNecessary();
            xMLSignatureUtil = defaultInstance;
        }
        return xMLSignatureUtil;
    }

    public Identity sign(Identity identity) throws XMLSignatureException {
        return sign(identity, this.attachPublicKeyToSignatures);
    }

    public Identity sign(Identity identity, boolean z) throws XMLSignatureException {
        return (Identity) sign(identity.withNormalizedTimestamp(), Identity.class, z);
    }

    public <T> T sign(T t, Class<T> cls) throws XMLSignatureException {
        return (T) sign(t, cls, this.attachPublicKeyToSignatures);
    }

    @Deprecated
    public <T> T sign(T t, Class<T> cls, boolean z) throws XMLSignatureException {
        try {
            return (T) JAXBUtils.unmarshal(signObject(t, z), cls);
        } catch (JAXBException e) {
            throw new XMLSignatureException("Error unmarshalling signed Identity", e);
        }
    }

    public Element signObject(Object obj) throws XMLSignatureException {
        return signObject(obj, this.attachPublicKeyToSignatures);
    }

    @Deprecated
    public Element signObject(Object obj, boolean z) throws XMLSignatureException {
        try {
            XMLSignatureFactory xMLSignatureFactory = getXMLSignatureFactory();
            SignedInfo newSignedInfo = xMLSignatureFactory.newSignedInfo(xMLSignatureFactory.newCanonicalizationMethod("http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments", (XMLStructure) null), xMLSignatureFactory.newSignatureMethod("http://www.w3.org/2000/09/xmldsig#rsa-sha1", null), Collections.singletonList(xMLSignatureFactory.newReference("", xMLSignatureFactory.newDigestMethod("http://www.w3.org/2000/09/xmldsig#sha1", null), Collections.singletonList(xMLSignatureFactory.newTransform("http://www.w3.org/2000/09/xmldsig#enveloped-signature", (XMLStructure) null)), null, null)));
            Element marshalToElement = JAXBUtils.marshalToElement(obj);
            DOMSignContext dOMSignContext = new DOMSignContext(this.pkiTool.getMyPrivateKey(), marshalToElement);
            KeyInfoFactory keyInfoFactory = xMLSignatureFactory.getKeyInfoFactory();
            X509Certificate x509Certificate = this.pkiTool.getX509Certificate(this.pkiTool.getMyCertID());
            X509IssuerSerial newX509IssuerSerial = keyInfoFactory.newX509IssuerSerial(x509Certificate.getIssuerX500Principal().getName(), x509Certificate.getSerialNumber());
            xMLSignatureFactory.newXMLSignature(newSignedInfo, keyInfoFactory.newKeyInfo(Arrays.asList(keyInfoFactory.newX509Data(z ? Arrays.asList(newX509IssuerSerial, x509Certificate) : Arrays.asList(newX509IssuerSerial))))).sign(dOMSignContext);
            return marshalToElement;
        } catch (Exception e) {
            throw new XMLSignatureException("Failed to sign object", e);
        }
    }

    public final boolean verifySignature(Signable signable) throws XMLSignatureException {
        BigInteger determineSigningKeySerial = determineSigningKeySerial(signable);
        if (determineSigningKeySerial == null) {
            return false;
        }
        Iterator<Boolean> it = attemptVerificationUsingCaKey(signable).getValue().iterator();
        if (it.hasNext()) {
            return it.next().booleanValue();
        }
        PublicKey signerPubKeyFromLocalKeystore = getSignerPubKeyFromLocalKeystore(determineSigningKeySerial);
        if (signerPubKeyFromLocalKeystore == null) {
            return false;
        }
        return verifySignature(signable, signerPubKeyFromLocalKeystore);
    }

    private Maybe<Boolean> attemptVerificationUsingCaKey(Signable signable) {
        try {
            X509Certificate x509Certificate = getX509Certificate(signable.getSignature());
            if (x509Certificate != null) {
                x509Certificate.verify(this.pkiTool.getCaCertificate(x509Certificate.getIssuerDN()).getPublicKey());
                if (verifySignature(signable, x509Certificate.getPublicKey())) {
                    return Maybe.valid(Boolean.TRUE);
                }
            }
        } catch (CertificateException e) {
            if (DEBUG) {
                log.debug("Error getting Certificate Authority cert, proceding anyway.");
            }
        } catch (Exception e2) {
            log.error("Error verifying signature: ", e2);
        }
        return Maybe.empty();
    }

    private PublicKey getSignerPubKeyFromLocalKeystore(BigInteger bigInteger) {
        try {
            return this.pkiTool.getPublicKey(bigInteger);
        } catch (Exception e) {
            log.warn("Error getting signer key with serial '" + bigInteger + "', can't verify signature", e);
            return null;
        }
    }

    private BigInteger determineSigningKeySerial(Signable signable) {
        try {
            return signable.getSignature().getKeyInfo().getCertData().getCertID().getSerial();
        } catch (NullPointerException e) {
            log.warn("Can't determine signing key");
            return null;
        }
    }

    public final boolean verifySignature(Signable signable, PublicKey publicKey) throws XMLSignatureException {
        try {
            return verifySignature(JAXBUtils.marshalToElement(signable), publicKey);
        } catch (JAXBException e) {
            throw new XMLSignatureException("Couldn't unmarshal signed identity", e);
        }
    }

    public final boolean verifySignature(Element element, PublicKey publicKey) throws XMLSignatureException {
        NodeList elementsByTagNameNS = element.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", Constants._TAG_SIGNATURE);
        if (elementsByTagNameNS == null || elementsByTagNameNS.getLength() < 1) {
            throw new XMLSignatureException("No signature found!");
        }
        Node item = elementsByTagNameNS.item(0);
        if (item == null) {
            throw new XMLSignatureException("No signature found!");
        }
        DOMValidateContext dOMValidateContext = new DOMValidateContext(publicKey, item);
        try {
            return getXMLSignatureFactory().unmarshalXMLSignature(dOMValidateContext).validate(dOMValidateContext);
        } catch (MarshalException e) {
            throw new XMLSignatureException("Couldn't unmarshal XML signature", e);
        }
    }

    public final X509Certificate getX509Certificate(Signature signature) throws CertificateException {
        try {
            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(signature.getKeyInfo().getCertData().getX509Certificate()));
        } catch (NullPointerException e) {
            if (DEBUG) {
                log.debug("Couldn't get attached X509 signature");
            }
            throw new CertificateException("Error getting attached certificate", e);
        }
    }

    private final XMLSignatureFactory getXMLSignatureFactory() throws XMLSignatureException {
        try {
            return XMLSignatureFactory.getInstance("DOM", (Provider) ClassTools.createInstance(this.providerName, Provider.class));
        } catch (DynamicLoadingException e) {
            throw new XMLSignatureException("Couldn't create XMLSignatureFactory using provider class '" + this.providerName + "': ", e);
        }
    }
}
