package de.governikus.panstar.sdk.utils.xml;

import de.governikus.panstar.sdk.utils.constant.ErrorCode;
import de.governikus.panstar.sdk.utils.exception.ErrorCodeException;
import java.security.PrivateKey;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPrivateKey;
import java.util.Base64;
import org.opensaml.saml.common.SAMLObjectContentReference;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.xmlsec.signature.KeyInfo;
import org.opensaml.xmlsec.signature.SignableXMLObject;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.X509Data;
import org.opensaml.xmlsec.signature.X509IssuerName;
import org.opensaml.xmlsec.signature.X509IssuerSerial;
import org.opensaml.xmlsec.signature.X509SerialNumber;
import org.opensaml.xmlsec.signature.impl.KeyInfoBuilder;
import org.opensaml.xmlsec.signature.impl.SignatureBuilder;
import org.opensaml.xmlsec.signature.impl.SignatureImpl;
import org.opensaml.xmlsec.signature.impl.X509CertificateBuilder;
import org.opensaml.xmlsec.signature.impl.X509DataBuilder;
import org.opensaml.xmlsec.signature.impl.X509IssuerNameBuilder;
import org.opensaml.xmlsec.signature.impl.X509IssuerSerialBuilder;
import org.opensaml.xmlsec.signature.impl.X509SerialNumberBuilder;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureValidator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/governikus/panstar/sdk/utils/xml/XMLSignatureHandler.class */
public final class XMLSignatureHandler {
    private static final Logger LOG = LoggerFactory.getLogger(XMLSignatureHandler.class);
    public static final String SHA256 = "SHA-256";
    public static final String SHA256_ALT = "SHA256";
    public static final String SHA384 = "SHA-384";
    public static final String SHA384_ALT = "SHA384";
    public static final String SHA512 = "SHA-512";
    public static final String SHA512_ALT = "SHA512";
    private static final String STRING_ENUM_SEPARATOR = ", ";

    /* loaded from: input_file:de/governikus/panstar/sdk/utils/xml/XMLSignatureHandler$SigEntryType.class */
    public enum SigEntryType {
        NONE,
        CERTIFICATE,
        ISSUERSERIAL
    }

    public static void addSignature(SignableXMLObject signableXMLObject, PrivateKey privateKey, X509Certificate x509Certificate, SigEntryType sigEntryType) throws CertificateEncodingException {
        String str = SHA256;
        if ("EC".equals(privateKey.getAlgorithm())) {
            switch (((ECPrivateKey) privateKey).getParams().getCurve().getField().getFieldSize()) {
                case 256:
                    break;
                case 384:
                    str = SHA384;
                    break;
                default:
                    str = SHA512;
                    break;
            }
        }
        addSignature(signableXMLObject, privateKey, x509Certificate, sigEntryType, str);
    }

    public static void addSignature(SignableXMLObject signableXMLObject, PrivateKey privateKey, X509Certificate x509Certificate, SigEntryType sigEntryType, String str) throws CertificateEncodingException {
        if (sigEntryType == SigEntryType.NONE) {
            return;
        }
        SignatureImpl buildObject = new SignatureBuilder().buildObject();
        BasicX509Credential basicX509Credential = new BasicX509Credential(x509Certificate);
        basicX509Credential.setPrivateKey(privateKey);
        buildObject.setSigningCredential(basicX509Credential);
        String algorithm = privateKey.getAlgorithm();
        boolean z = -1;
        switch (algorithm.hashCode()) {
            case 2206:
                if (algorithm.equals("EC")) {
                    z = false;
                    break;
                }
                break;
            case 81440:
                if (algorithm.equals("RSA")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                handleECSignature(str, buildObject);
                break;
            case true:
                handleRSASignature(str, buildObject);
                break;
            default:
                throw new IllegalArgumentException("Unsupported key algorithm " + privateKey.getAlgorithm() + ", use RSA or EC");
        }
        buildObject.setCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
        KeyInfo buildObject2 = new KeyInfoBuilder().buildObject();
        X509Data buildObject3 = new X509DataBuilder().buildObject();
        if (sigEntryType == SigEntryType.CERTIFICATE) {
            addCertificate(x509Certificate, buildObject3);
        } else if (sigEntryType == SigEntryType.ISSUERSERIAL) {
            addIssuerSerial(x509Certificate, buildObject3);
        }
        buildObject2.getX509Datas().add(buildObject3);
        buildObject.setKeyInfo(buildObject2);
        signableXMLObject.setSignature(buildObject);
        boolean z2 = -1;
        switch (str.hashCode()) {
            case -1850268089:
                if (str.equals(SHA256_ALT)) {
                    z2 = true;
                    break;
                }
                break;
            case -1850267037:
                if (str.equals(SHA384_ALT)) {
                    z2 = 3;
                    break;
                }
                break;
            case -1850265334:
                if (str.equals(SHA512_ALT)) {
                    z2 = 5;
                    break;
                }
                break;
            case -1523887726:
                if (str.equals(SHA256)) {
                    z2 = false;
                    break;
                }
                break;
            case -1523886674:
                if (str.equals(SHA384)) {
                    z2 = 2;
                    break;
                }
                break;
            case -1523884971:
                if (str.equals(SHA512)) {
                    z2 = 4;
                    break;
                }
                break;
        }
        switch (z2) {
            case false:
            case true:
                ((SAMLObjectContentReference) buildObject.getContentReferences().get(0)).setDigestAlgorithm("http://www.w3.org/2001/04/xmlenc#sha256");
                return;
            case true:
            case true:
                ((SAMLObjectContentReference) buildObject.getContentReferences().get(0)).setDigestAlgorithm("http://www.w3.org/2001/04/xmldsig-more#sha384");
                return;
            case true:
            case true:
                ((SAMLObjectContentReference) buildObject.getContentReferences().get(0)).setDigestAlgorithm("http://www.w3.org/2001/04/xmlenc#sha512");
                return;
            default:
                return;
        }
    }

    private static void handleRSASignature(String str, Signature signature) {
        if (SHA256.equals(str) || SHA256_ALT.equals(str)) {
            signature.setSignatureAlgorithm("http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1");
            return;
        }
        if (SHA384.equals(str) || SHA384_ALT.equals(str)) {
            signature.setSignatureAlgorithm("http://www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1");
        } else {
            if (!SHA512.equals(str) && !SHA512_ALT.equals(str)) {
                throw new IllegalArgumentException("Given digest algorithm " + str + " not supported with RSA keys, use SHA-256, SHA-384 or SHA-512");
            }
            signature.setSignatureAlgorithm("http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1");
        }
    }

    private static void handleECSignature(String str, Signature signature) {
        if (SHA256.equals(str) || SHA256_ALT.equals(str)) {
            signature.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256");
            return;
        }
        if (SHA384.equals(str) || SHA384_ALT.equals(str)) {
            signature.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384");
        } else {
            if (!SHA512.equals(str) && !SHA512_ALT.equals(str)) {
                throw new IllegalArgumentException("Given digest algorithm " + str + " not supported with EC keys, use SHA-256, SHA-384 or SHA-512");
            }
            signature.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512");
        }
    }

    private static void addCertificate(X509Certificate x509Certificate, X509Data x509Data) throws CertificateEncodingException {
        org.opensaml.xmlsec.signature.X509Certificate buildObject = new X509CertificateBuilder().buildObject();
        buildObject.setValue(Base64.getEncoder().encodeToString(x509Certificate.getEncoded()));
        x509Data.getX509Certificates().add(buildObject);
    }

    private static void addIssuerSerial(X509Certificate x509Certificate, X509Data x509Data) {
        X509IssuerSerial buildObject = new X509IssuerSerialBuilder().buildObject();
        X509IssuerName buildObject2 = new X509IssuerNameBuilder().buildObject();
        buildObject2.setValue(x509Certificate.getIssuerX500Principal().getName());
        buildObject.setX509IssuerName(buildObject2);
        X509SerialNumber buildObject3 = new X509SerialNumberBuilder().buildObject();
        buildObject3.setValue(x509Certificate.getSerialNumber());
        buildObject.setX509SerialNumber(buildObject3);
        x509Data.getX509IssuerSerials().add(buildObject);
    }

    public static int checkSignature(Signature signature, X509Certificate... x509CertificateArr) throws ErrorCodeException {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new ErrorCodeException(ErrorCode.SIGNATURE_CHECK_FAILED, "no trusted anchor given");
        }
        if (signature == null) {
            throw new ErrorCodeException(ErrorCode.SIGNATURE_MISSING, new String[0]);
        }
        try {
            new SAMLSignatureProfileValidator().validate(signature);
            for (int i = 0; i < x509CertificateArr.length; i++) {
                if (x509CertificateArr[i] != null) {
                    try {
                        SignatureValidator.validate(signature, new BasicX509Credential(x509CertificateArr[i]));
                        return i;
                    } catch (Exception e) {
                        throw new ErrorCodeException(ErrorCode.INTERNAL_ERROR, e);
                    } catch (SignatureException e2) {
                        LOG.debug("Signature could not be validated with certificate: {} \n Try to continue with other trust anchors", x509CertificateArr[i], e2);
                    }
                }
            }
            throw new ErrorCodeException(ErrorCode.SIGNATURE_CHECK_FAILED, new String[0]);
        } catch (SignatureException e3) {
            LOG.debug("Signature does not meet security-related requirements", e3);
            throw new ErrorCodeException(ErrorCode.SIGNATURE_CHECK_FAILED, (Throwable) e3);
        } catch (Exception e4) {
            throw new ErrorCodeException(ErrorCode.INTERNAL_ERROR, e4);
        }
    }

    private XMLSignatureHandler() {
    }
}
