package de.governikus.autent.crypto.utils;

import de.governikus.autent.crypto.utils.exceptions.SignatureException;
import de.governikus.autent.key.utils.KeyStoreWrapper;
import de.governikus.autent.xml.utils.XmlHelper;
import java.security.InvalidAlgorithmParameterException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Iterator;
import javax.xml.crypto.AlgorithmMethod;
import javax.xml.crypto.KeySelector;
import javax.xml.crypto.KeySelectorException;
import javax.xml.crypto.KeySelectorResult;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.XMLCryptoContext;
import javax.xml.crypto.XMLStructure;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureException;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.keyinfo.X509Data;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.crypto.dsig.spec.DigestMethodParameterSpec;
import javax.xml.crypto.dsig.spec.SignatureMethodParameterSpec;
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
import javax.xml.parsers.DocumentBuilderFactory;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* loaded from: input_file:de/governikus/autent/crypto/utils/XmlSigner.class */
public final class XmlSigner {
    private static final Logger log = LoggerFactory.getLogger(XmlSigner.class);

    /* loaded from: input_file:de/governikus/autent/crypto/utils/XmlSigner$KeyValueKeySelector.class */
    private static class KeyValueKeySelector extends KeySelector {
        private KeyValueKeySelector() {
        }

        public KeySelectorResult select(KeyInfo keyInfo, KeySelector.Purpose purpose, AlgorithmMethod algorithmMethod, XMLCryptoContext xMLCryptoContext) throws KeySelectorException {
            if (keyInfo == null) {
                throw new KeySelectorException("Null KeyInfo object!");
            }
            Iterator it = keyInfo.getContent().iterator();
            if (!it.hasNext()) {
                throw new KeySelectorException("No KeyValue element found!");
            }
            X509Data x509Data = (XMLStructure) it.next();
            if (!(x509Data instanceof X509Data)) {
                return x509Data instanceof X509Certificate ? new SimpleKeySelectorResult(((X509Certificate) x509Data).getPublicKey()) : new SimpleKeySelectorResult(((X509Certificate) x509Data).getPublicKey());
            }
            for (Object obj : x509Data.getContent()) {
                if (obj instanceof X509Certificate) {
                    return new SimpleKeySelectorResult(((X509Certificate) obj).getPublicKey());
                }
            }
            return null;
        }
    }

    /* loaded from: input_file:de/governikus/autent/crypto/utils/XmlSigner$SimpleKeySelectorResult.class */
    private static class SimpleKeySelectorResult implements KeySelectorResult {
        private final PublicKey publicKey;

        SimpleKeySelectorResult(PublicKey publicKey) {
            this.publicKey = publicKey;
        }

        public Key getKey() {
            return this.publicKey;
        }
    }

    public static String createEnvelopedSignature(String str, KeyStoreWrapper keyStoreWrapper, String str2) {
        return createEnvelopedSignature(str, (PrivateKey) keyStoreWrapper.getPrivateKey(str2).orElseThrow(() -> {
            return new IllegalStateException("no signing key found for alias: " + str2);
        }), (X509Certificate) keyStoreWrapper.getCertificate(str2).orElseThrow(() -> {
            return new IllegalStateException("no certificate found for alias: " + str2);
        }));
    }

    public static String createEnvelopedSignature(String str, PrivateKey privateKey, X509Certificate x509Certificate) {
        Document document = XmlHelper.toDocument(str);
        if (document == null) {
            throw new SignatureException("signature cannot be provided if document is null");
        }
        try {
            log.trace("starting to create enveloped signature...");
            log.trace("messageDigestAlgorithm: {}", "http://www.w3.org/2001/04/xmlenc#sha256");
            log.trace("signatureAlgorithm: {}", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
            XMLSignatureFactory xMLSignatureFactory = XMLSignatureFactory.getInstance("DOM");
            SignedInfo newSignedInfo = xMLSignatureFactory.newSignedInfo(xMLSignatureFactory.newCanonicalizationMethod("http://www.w3.org/2001/10/xml-exc-c14n#", (C14NMethodParameterSpec) null), xMLSignatureFactory.newSignatureMethod("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", (SignatureMethodParameterSpec) null), Collections.singletonList(xMLSignatureFactory.newReference("", xMLSignatureFactory.newDigestMethod("http://www.w3.org/2001/04/xmlenc#sha256", (DigestMethodParameterSpec) null), Collections.singletonList(xMLSignatureFactory.newTransform("http://www.w3.org/2000/09/xmldsig#enveloped-signature", (TransformParameterSpec) null)), (String) null, (String) null)));
            KeyInfoFactory keyInfoFactory = xMLSignatureFactory.getKeyInfoFactory();
            KeyInfo newKeyInfo = keyInfoFactory.newKeyInfo(Collections.singletonList(keyInfoFactory.newX509Data(Collections.singletonList(x509Certificate))));
            xMLSignatureFactory.newXMLSignature(newSignedInfo, newKeyInfo).sign(new DOMSignContext(privateKey, document.getDocumentElement()));
            log.debug("signature creation was successful.");
            log.trace(XmlHelper.documentToString(document));
            return XmlHelper.documentToString(document);
        } catch (InvalidAlgorithmParameterException | XMLSignatureException | NoSuchAlgorithmException | MarshalException e) {
            throw new SignatureException("signature could not be provided", e);
        }
    }

    public static void verifyXmlSignature(String str) {
        if (StringUtils.isBlank(str)) {
            throw new SignatureException("signature cannot be verified if document is null.");
        }
        Document document = XmlHelper.toDocument(str);
        document.normalizeDocument();
        try {
            log.trace("starting verification of signature...");
            DocumentBuilderFactory.newInstance().setNamespaceAware(true);
            NodeList elementsByTagNameNS = document.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
            if (elementsByTagNameNS.getLength() == 0) {
                throw new SignatureException("Cannot find Signature element.\n Remember that the successful verification of the signature will remove the signature from the document!");
            }
            DOMValidateContext dOMValidateContext = new DOMValidateContext(new KeyValueKeySelector(), elementsByTagNameNS.item(0));
            log.trace("remove signature from document.");
            Node item = elementsByTagNameNS.item(0);
            if (null == item.getParentNode()) {
                throw new SignatureException("signature node cannot be removed for it is representing the root node.");
            }
            item.getParentNode().removeChild(item);
            log.trace("signature was removed from document.");
            XMLSignature unmarshalXMLSignature = XMLSignatureFactory.getInstance("DOM").unmarshalXMLSignature(dOMValidateContext);
            boolean validate = unmarshalXMLSignature.validate(dOMValidateContext);
            if (validate || !log.isDebugEnabled()) {
                if (validate) {
                    log.debug("document signature was verified successfully.");
                    if (log.isTraceEnabled()) {
                        log.trace("{}", XmlHelper.documentToString(document));
                    }
                } else {
                    log.error("document signature could not be verified.");
                }
                return;
            }
            log.trace("verifySignature: verified by value! signature validation status={}", Boolean.valueOf(unmarshalXMLSignature.getSignatureValue().validate(dOMValidateContext)));
            Iterator it = unmarshalXMLSignature.getSignedInfo().getReferences().iterator();
            int i = 0;
            while (it.hasNext()) {
                log.trace("verifySignature: Reference ({}) validation status: {}", Integer.valueOf(i), Boolean.valueOf(((Reference) it.next()).validate(dOMValidateContext)));
                i++;
            }
            throw new SignatureException("signature verfication has failed. The signature does not match the XML.");
        } catch (XMLSignatureException | MarshalException e) {
            throw new SignatureException("document signature could not be verified", e);
        }
    }

    private XmlSigner() {
    }
}
