package org.apache.ws.security.processor;

import java.security.KeyException;
import java.security.Principal;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.NodeSetData;
import javax.xml.crypto.XMLStructure;
import javax.xml.crypto.dom.DOMStructure;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.Transform;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.keyinfo.KeyValue;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.PublicKeyPrincipal;
import org.apache.ws.security.WSDataRef;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.WSUsernameTokenPrincipal;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoType;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.message.CallbackLookup;
import org.apache.ws.security.message.DOMCallbackLookup;
import org.apache.ws.security.message.DOMURIDereferencer;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.str.SignatureSTRParser;
import org.apache.ws.security.transform.STRTransform;
import org.apache.ws.security.transform.STRTransformUtil;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.ws.security.validate.Credential;
import org.apache.ws.security.validate.Validator;
import org.apache.xml.security.utils.Constants;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;

/* loaded from: input_file:WEB-INF/bundle/wss4j-1.6.1.jar:org/apache/ws/security/processor/SignatureProcessor.class */
public class SignatureProcessor implements Processor {
    private static Log LOG = LogFactory.getLog(SignatureProcessor.class);
    private XMLSignatureFactory signatureFactory = XMLSignatureFactory.getInstance("DOM");
    private KeyInfoFactory keyInfoFactory = KeyInfoFactory.getInstance("DOM");

    @Override // org.apache.ws.security.processor.Processor
    public List<WSSecurityEngineResult> handleToken(Element element, RequestData requestData, WSDocInfo wSDocInfo) throws WSSecurityException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Found signature element");
        }
        Element directChildElement = WSSecurityUtil.getDirectChildElement(element, "KeyInfo", "http://www.w3.org/2000/09/xmldsig#");
        X509Certificate[] x509CertificateArr = null;
        Principal principal = null;
        PublicKey publicKey = null;
        byte[] bArr = null;
        String signatureMethod = getSignatureMethod(element);
        Validator validator = requestData.getValidator(WSSecurityEngine.SIGNATURE);
        if (directChildElement == null) {
            x509CertificateArr = getDefaultCerts(requestData.getSigCrypto());
            principal = x509CertificateArr[0].getSubjectX500Principal();
        } else {
            List<Element> directChildElements = WSSecurityUtil.getDirectChildElements(directChildElement, "SecurityTokenReference", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
            if (requestData.getWssConfig().isWsiBSPCompliant()) {
                if (directChildElements.isEmpty()) {
                    throw new WSSecurityException(3, "noSecurityTokenReference");
                }
                if (directChildElements.size() > 1) {
                    throw new WSSecurityException(3, "badSecurityTokenReference");
                }
            }
            if (directChildElements.isEmpty()) {
                publicKey = parseKeyValue(directChildElement);
                if (validator != null) {
                    Credential credential = new Credential();
                    credential.setPublicKey(publicKey);
                    principal = new PublicKeyPrincipal(publicKey);
                    credential.setPrincipal(principal);
                    validator.validate(credential, requestData);
                }
            } else {
                SignatureSTRParser signatureSTRParser = new SignatureSTRParser();
                HashMap hashMap = new HashMap();
                hashMap.put("signature_method", signatureMethod);
                hashMap.put(SignatureSTRParser.SECRET_KEY_LENGTH, new Integer(requestData.getWssConfig().getSecretKeyLength()));
                signatureSTRParser.parseSecurityTokenReference(directChildElements.get(0), requestData, wSDocInfo, hashMap);
                principal = signatureSTRParser.getPrincipal();
                x509CertificateArr = signatureSTRParser.getCertificates();
                publicKey = signatureSTRParser.getPublicKey();
                bArr = signatureSTRParser.getSecretKey();
                boolean isTrustedCredential = signatureSTRParser.isTrustedCredential();
                if (isTrustedCredential && LOG.isDebugEnabled()) {
                    LOG.debug("Direct Trust for SAML/BST credential");
                }
                if (!isTrustedCredential && ((publicKey != null || x509CertificateArr != null) && validator != null)) {
                    Credential credential2 = new Credential();
                    credential2.setPublicKey(publicKey);
                    credential2.setCertificates(x509CertificateArr);
                    credential2.setPrincipal(principal);
                    validator.validate(credential2, requestData);
                }
            }
        }
        if ((x509CertificateArr == null || x509CertificateArr.length == 0 || x509CertificateArr[0] == null) && bArr == null && publicKey == null) {
            throw new WSSecurityException(6);
        }
        XMLSignature verifyXMLSignature = verifyXMLSignature(element, x509CertificateArr, publicKey, bArr, signatureMethod, wSDocInfo);
        byte[] value = verifyXMLSignature.getSignatureValue().getValue();
        String algorithm = verifyXMLSignature.getSignedInfo().getCanonicalizationMethod().getAlgorithm();
        if (requestData.getWssConfig().isWsiBSPCompliant() && !"http://www.w3.org/2001/10/xml-exc-c14n#".equals(algorithm)) {
            throw new WSSecurityException(3, "badC14nAlgo");
        }
        List<WSDataRef> buildProtectedRefs = buildProtectedRefs(element.getOwnerDocument(), verifyXMLSignature.getSignedInfo(), requestData.getWssConfig(), wSDocInfo);
        if (buildProtectedRefs.size() == 0) {
            throw new WSSecurityException(6);
        }
        int i = 2;
        if (principal instanceof WSUsernameTokenPrincipal) {
            i = 64;
        }
        WSSecurityEngineResult wSSecurityEngineResult = new WSSecurityEngineResult(i, principal, x509CertificateArr, buildProtectedRefs, value);
        wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_SIGNATURE_METHOD, signatureMethod);
        wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_CANONICALIZATION_METHOD, algorithm);
        wSSecurityEngineResult.put("id", element.getAttribute("Id"));
        wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_SECRET, bArr);
        wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_PUBLIC_KEY, publicKey);
        if (validator != null) {
            wSSecurityEngineResult.put(WSSecurityEngineResult.TAG_VALIDATED_TOKEN, Boolean.TRUE);
        }
        wSDocInfo.addResult(wSSecurityEngineResult);
        wSDocInfo.addTokenElement(element);
        return Collections.singletonList(wSSecurityEngineResult);
    }

    private X509Certificate[] getDefaultCerts(Crypto crypto) throws WSSecurityException {
        if (crypto == null) {
            throw new WSSecurityException(0, "noSigCryptoFile");
        }
        if (crypto.getDefaultX509Identifier() == null) {
            throw new WSSecurityException(3, "unsupportedKeyInfo");
        }
        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
        cryptoType.setAlias(crypto.getDefaultX509Identifier());
        return crypto.getX509Certificates(cryptoType);
    }

    private PublicKey parseKeyValue(Element element) throws WSSecurityException {
        try {
            KeyValue keyValue = getKeyValue(element);
            if (keyValue == null) {
                throw new WSSecurityException(3, "unsupportedKeyInfo");
            }
            try {
                return keyValue.getPublicKey();
            } catch (KeyException e) {
                LOG.error(e.getMessage(), e);
                throw new WSSecurityException(6, null, null, e);
            }
        } catch (MarshalException e2) {
            throw new WSSecurityException(6, null, null, e2);
        }
    }

    private KeyValue getKeyValue(Element element) throws MarshalException {
        List content = this.keyInfoFactory.unmarshalKeyInfo(new DOMStructure(element)).getContent();
        for (int i = 0; i < content.size(); i++) {
            XMLStructure xMLStructure = (XMLStructure) content.get(i);
            if (xMLStructure instanceof KeyValue) {
                return (KeyValue) xMLStructure;
            }
        }
        return null;
    }

    private XMLSignature verifyXMLSignature(Element element, X509Certificate[] x509CertificateArr, PublicKey publicKey, byte[] bArr, String str, WSDocInfo wSDocInfo) throws WSSecurityException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Verify XML Signature");
        }
        DOMValidateContext dOMValidateContext = new DOMValidateContext((x509CertificateArr == null || x509CertificateArr[0] == null) ? publicKey != null ? publicKey : WSSecurityUtil.prepareSecretKey(str, bArr) : x509CertificateArr[0].getPublicKey(), element);
        dOMValidateContext.setProperty("javax.xml.crypto.dsig.cacheReference", Boolean.TRUE);
        DOMURIDereferencer dOMURIDereferencer = new DOMURIDereferencer();
        dOMURIDereferencer.setWsDocInfo(wSDocInfo);
        dOMValidateContext.setURIDereferencer(dOMURIDereferencer);
        dOMValidateContext.setProperty(STRTransform.TRANSFORM_WS_DOC_INFO, wSDocInfo);
        try {
            XMLSignature unmarshalXMLSignature = this.signatureFactory.unmarshalXMLSignature(dOMValidateContext);
            if (unmarshalXMLSignature.validate(dOMValidateContext)) {
                return unmarshalXMLSignature;
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("XML Signature verification has failed");
                LOG.debug("Signature Validation check: " + unmarshalXMLSignature.getSignatureValue().validate(dOMValidateContext));
                for (Reference reference : unmarshalXMLSignature.getSignedInfo().getReferences()) {
                    boolean validate = reference.validate(dOMValidateContext);
                    String id = reference.getId();
                    if (id == null) {
                        id = reference.getURI();
                    }
                    LOG.debug("Reference " + id + " check: " + validate);
                }
            }
            throw new WSSecurityException(6);
        } catch (Exception e) {
            throw new WSSecurityException(6, null, null, e);
        }
    }

    private static String getSignatureMethod(Element element) {
        Element directChildElement;
        Element directChildElement2 = WSSecurityUtil.getDirectChildElement(element, Constants._TAG_SIGNEDINFO, "http://www.w3.org/2000/09/xmldsig#");
        if (directChildElement2 == null || (directChildElement = WSSecurityUtil.getDirectChildElement(directChildElement2, Constants._TAG_SIGNATUREMETHOD, "http://www.w3.org/2000/09/xmldsig#")) == null) {
            return null;
        }
        return directChildElement.getAttributeNS(null, "Algorithm");
    }

    private List<WSDataRef> buildProtectedRefs(Document document, SignedInfo signedInfo, WSSConfig wSSConfig, WSDocInfo wSDocInfo) throws WSSecurityException {
        NodeSetData nodeSetData;
        ArrayList arrayList = new ArrayList();
        List references = signedInfo.getReferences();
        for (int i = 0; i < references.size(); i++) {
            Reference reference = (Reference) references.get(i);
            String uri = reference.getURI();
            if (!"".equals(uri)) {
                Element element = null;
                List transforms = reference.getTransforms();
                for (int i2 = 0; i2 < transforms.size(); i2++) {
                    if ("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform".equals(((Transform) transforms.get(i2)).getAlgorithm()) && (nodeSetData = (NodeSetData) reference.getDereferencedData()) != null) {
                        Iterator it = nodeSetData.iterator();
                        Node node = null;
                        while (true) {
                            if (!it.hasNext()) {
                                break;
                            }
                            Node node2 = (Node) it.next();
                            if ("SecurityTokenReference".equals(node2.getLocalName())) {
                                node = node2;
                                break;
                            }
                        }
                        if (node != null) {
                            element = STRTransformUtil.dereferenceSTR(document, new SecurityTokenReference((Element) node, wSSConfig.isWsiBSPCompliant()), wSDocInfo);
                        }
                    }
                }
                if (element == null) {
                    CallbackLookup callbackLookup = wSDocInfo.getCallbackLookup();
                    if (callbackLookup == null) {
                        callbackLookup = new DOMCallbackLookup(document);
                    }
                    element = callbackLookup.getElement(uri, null, false);
                }
                if (element == null) {
                    throw new WSSecurityException(6);
                }
                WSDataRef wSDataRef = new WSDataRef();
                wSDataRef.setWsuId(uri);
                wSDataRef.setProtectedElement(element);
                wSDataRef.setAlgorithm(signedInfo.getSignatureMethod().getAlgorithm());
                wSDataRef.setDigestAlgorithm(reference.getDigestMethod().getAlgorithm());
                wSDataRef.setXpath(ReferenceListProcessor.getXPath(element));
                arrayList.add(wSDataRef);
            }
        }
        return arrayList;
    }
}
