package be.fgov.ehealth.technicalconnector.signature.impl;

import be.ehealth.technicalconnector.enumeration.Charset;
import be.ehealth.technicalconnector.exception.TechnicalConnectorException;
import be.ehealth.technicalconnector.exception.TechnicalConnectorExceptionValues;
import be.ehealth.technicalconnector.idgenerator.IdGeneratorFactory;
import be.ehealth.technicalconnector.service.sts.security.Credential;
import be.ehealth.technicalconnector.service.sts.security.SAMLToken;
import be.ehealth.technicalconnector.utils.ConnectorIOUtils;
import be.ehealth.technicalconnector.utils.ConnectorXmlUtils;
import be.fgov.ehealth.technicalconnector.signature.AdvancedElectronicSignatureEnumeration;
import be.fgov.ehealth.technicalconnector.signature.SignatureBuilder;
import be.fgov.ehealth.technicalconnector.signature.domain.SignatureVerificationError;
import be.fgov.ehealth.technicalconnector.signature.domain.SignatureVerificationResult;
import be.fgov.ehealth.technicalconnector.signature.domain.XadesOption;
import be.fgov.ehealth.technicalconnector.signature.impl.extractor.ForkedExtractor;
import be.fgov.ehealth.technicalconnector.signature.impl.extractor.SecurityTokenReferenceExtractor;
import be.fgov.ehealth.technicalconnector.signature.impl.extractor.X509DataExctractor;
import be.fgov.ehealth.technicalconnector.signature.impl.xades.XadesSpecification;
import be.fgov.ehealth.technicalconnector.signature.impl.xades.domain.QualifyingPropertiesBuilder;
import be.fgov.ehealth.technicalconnector.signature.impl.xades.domain.UnsignedPropertiesBuilder;
import be.fgov.ehealth.technicalconnector.signature.resolvers.DocumentResolver;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.commons.lang3.StringUtils;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.signature.ObjectContainer;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.signature.XMLSignatureException;
import org.apache.xml.security.transforms.TransformationException;
import org.apache.xml.security.transforms.Transforms;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;

/* loaded from: input_file:be/fgov/ehealth/technicalconnector/signature/impl/XmlSignatureBuilder.class */
public class XmlSignatureBuilder extends AbstractSignatureBuilder implements SignatureBuilder {
    private static final Logger LOG = LoggerFactory.getLogger(XmlSignatureBuilder.class);
    private XadesSpecification[] specs;
    private AdvancedElectronicSignatureEnumeration aes;

    public XmlSignatureBuilder(AdvancedElectronicSignatureEnumeration advancedElectronicSignatureEnumeration, XadesSpecification... xadesSpecificationArr) {
        this.specs = xadesSpecificationArr;
        this.aes = advancedElectronicSignatureEnumeration;
    }

    @Override // be.fgov.ehealth.technicalconnector.signature.SignatureBuilder
    public byte[] sign(Credential credential, byte[] bArr) throws TechnicalConnectorException {
        return sign(credential, bArr, new HashMap());
    }

    @Override // be.fgov.ehealth.technicalconnector.signature.SignatureBuilder
    public byte[] sign(Credential credential, byte[] bArr, Map<String, Object> map) throws TechnicalConnectorException {
        HashMap hashMap = new HashMap();
        if (map != null) {
            hashMap.putAll(map);
        }
        validateInput(credential, bArr);
        try {
            String str = (String) SignatureUtils.getOption(XadesOption.BASEURI, hashMap, "");
            String str2 = (String) SignatureUtils.getOption(XadesOption.SIGNATUREMETHODURI, hashMap, "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
            String str3 = (String) SignatureUtils.getOption(XadesOption.CANONICALIZATIONMETHODURI, hashMap, "http://www.w3.org/2001/10/xml-exc-c14n#");
            List<String> list = (List) SignatureUtils.getOption("transformerList", hashMap, new ArrayList());
            String str4 = (String) SignatureUtils.getOption(XadesOption.DIGESTURI, hashMap, "http://www.w3.org/2001/04/xmlenc#sha256");
            boolean booleanValue = ((Boolean) SignatureUtils.getOption("encapsulate", hashMap, Boolean.FALSE)).booleanValue();
            if (booleanValue && !list.contains("http://www.w3.org/2000/09/xmldsig#enveloped-signature")) {
                list.add(0, "http://www.w3.org/2000/09/xmldsig#enveloped-signature");
            } else if (!booleanValue && list.contains("http://www.w3.org/2000/09/xmldsig#enveloped-signature")) {
                booleanValue = true;
            }
            Document document = ConnectorXmlUtils.toDocument(bArr);
            XMLSignature xMLSignature = new XMLSignature(document, str, str2, str3);
            DocumentResolver documentResolver = new DocumentResolver(str, document);
            xMLSignature.addResourceResolver(documentResolver);
            xMLSignature.addDocument(ref(str), createDocumentTransform(list, document), str4);
            Transforms transforms = new Transforms(document);
            transforms.addTransform("http://www.w3.org/2001/10/xml-exc-c14n#");
            ObjectContainer objectContainer = new ObjectContainer(xMLSignature.getDocument());
            xMLSignature.appendObject(objectContainer);
            if (credential instanceof SAMLToken) {
                SAMLToken sAMLToken = (SAMLToken) credential;
                xMLSignature.getKeyInfo().addUnknownElement((Element) xMLSignature.getDocument().importNode(obtainSAMLTokenReference(sAMLToken), true));
                objectContainer.appendChild((Element) xMLSignature.getDocument().importNode(sAMLToken.getAssertion(), true));
                Transforms transforms2 = new Transforms(document);
                transforms2.addTransform("http://www.w3.org/2001/10/xml-exc-c14n#");
                String attribute = sAMLToken.getAssertion().getAttribute("AssertionID");
                xMLSignature.addResourceResolver(new DocumentResolver(attribute, ((SAMLToken) credential).getAssertion().getOwnerDocument()));
                xMLSignature.addDocument(ref(attribute), transforms2, str4, (String) null, "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1");
            } else if (credential.getCertificateChain() != null) {
                for (Certificate certificate : credential.getCertificateChain()) {
                    xMLSignature.addKeyInfo((X509Certificate) certificate);
                }
            }
            String generateId = IdGeneratorFactory.getIdGenerator("uuid").generateId();
            QualifyingPropertiesBuilder qualifyingPropertiesBuilder = new QualifyingPropertiesBuilder();
            for (XadesSpecification xadesSpecification : this.specs) {
                xadesSpecification.addOptionalBeforeSignatureParts(qualifyingPropertiesBuilder.getSignedProps(), xMLSignature, credential, generateId, map);
            }
            Document buildBeforeSigningAsDocument = qualifyingPropertiesBuilder.buildBeforeSigningAsDocument();
            Element element = (Element) xMLSignature.getDocument().importNode(buildBeforeSigningAsDocument.getDocumentElement(), true);
            objectContainer.appendChild(element);
            documentResolver.addDocument(qualifyingPropertiesBuilder.getSignedProps().getId(), buildBeforeSigningAsDocument);
            xMLSignature.addDocument(ref(qualifyingPropertiesBuilder.getSignedProps().getId()), transforms, str4, (String) null, "http://uri.etsi.org/01903#SignedProperties");
            xMLSignature.sign(credential.getPrivateKey());
            String str5 = "xmldsig-" + generateId;
            xMLSignature.setId(str5);
            element.setAttribute("Target", ref(str5));
            UnsignedPropertiesBuilder unsignedPropertiesBuilder = new UnsignedPropertiesBuilder();
            unsignedPropertiesBuilder.setId(generateId);
            for (XadesSpecification xadesSpecification2 : this.specs) {
                xadesSpecification2.addOptionalAfterSignatureParts(unsignedPropertiesBuilder, xMLSignature, generateId, map);
            }
            if (unsignedPropertiesBuilder.buildAsDocument() != null) {
                element.appendChild((Element) xMLSignature.getDocument().importNode(unsignedPropertiesBuilder.buildAsDocument().getDocumentElement(), true));
            }
            if (!booleanValue) {
                return ConnectorXmlUtils.toByteArray(xMLSignature.getElement());
            }
            document.getFirstChild().insertBefore(document.adoptNode(xMLSignature.getElement()), null);
            return ConnectorXmlUtils.toByteArray(document);
        } catch (XMLSecurityException e) {
            throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.ERROR_GENERAL, e, new Object[]{e.getMessage()});
        } catch (XMLSignatureException e2) {
            throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.ERROR_GENERAL, e2, new Object[]{e2.getMessage()});
        } catch (TransformationException e3) {
            throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.ERROR_GENERAL, e3, new Object[]{e3.getMessage()});
        }
    }

    private Transforms createDocumentTransform(List<String> list, Document document) throws TransformationException {
        Transforms transforms = new Transforms(document);
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            transforms.addTransform(it.next());
        }
        return transforms;
    }

    @Override // be.fgov.ehealth.technicalconnector.signature.SignatureBuilder
    public SignatureVerificationResult verify(byte[] bArr, Map<String, Object> map) throws TechnicalConnectorException {
        Document document = ConnectorXmlUtils.toDocument(bArr);
        NodeList matchingChilds = DomUtils.getMatchingChilds(document, SignatureUtils.XMLNS_DS, "Signature");
        if (matchingChilds != null && matchingChilds.getLength() != 0) {
            if (matchingChilds.getLength() > 1) {
                LOG.info("Multiple signature found, using first one.");
            }
            return verify(document, (Element) matchingChilds.item(0), map);
        }
        LOG.info("No signature found in signedContent");
        SignatureVerificationResult signatureVerificationResult = new SignatureVerificationResult();
        signatureVerificationResult.getErrors().add(SignatureVerificationError.SIGNATURE_NOT_PRESENT);
        return signatureVerificationResult;
    }

    @Override // be.fgov.ehealth.technicalconnector.signature.SignatureBuilder
    public SignatureVerificationResult verify(byte[] bArr, byte[] bArr2, Map<String, Object> map) throws TechnicalConnectorException {
        return verify(ConnectorXmlUtils.toDocument(bArr), ConnectorXmlUtils.toElement(bArr2), map);
    }

    public SignatureVerificationResult verify(Document document, Element element, Map<String, Object> map) throws TechnicalConnectorException {
        HashMap hashMap = new HashMap();
        if (map != null) {
            hashMap.putAll(map);
        }
        SignatureVerificationResult signatureVerificationResult = new SignatureVerificationResult();
        NodeList matchingChilds = DomUtils.getMatchingChilds(document, SignatureUtils.XMLNS_DS, "Signature");
        if (matchingChilds == null || matchingChilds.getLength() == 0) {
            LOG.info("Adding signature to signedContent");
            document.getFirstChild().appendChild(document.importNode(element, true));
        }
        verifyXmlDsigSignature(signatureVerificationResult, element, document, hashMap);
        verifyManifest(signatureVerificationResult, element, hashMap);
        for (XadesSpecification xadesSpecification : this.specs) {
            xadesSpecification.verify(signatureVerificationResult, element);
        }
        validateChain(signatureVerificationResult, map);
        return signatureVerificationResult;
    }

    private void verifyManifest(SignatureVerificationResult signatureVerificationResult, Element element, Map<String, Object> map) {
        if (((Boolean) SignatureUtils.getOption(XadesOption.FOLLOWNESTEDMANIFEST, map, Boolean.FALSE)).booleanValue()) {
            NodeList matchingChilds = DomUtils.getMatchingChilds((Element) DomUtils.getMatchingChilds(element, SignatureUtils.XMLNS_DS, "SignedInfo").item(0), SignatureUtils.XMLNS_DS, "Reference");
            for (int i = 0; i < matchingChilds.getLength(); i++) {
                String attribute = ((Element) matchingChilds.item(i)).getAttribute("Type");
                if (attribute.endsWith("Manifest") && !attribute.equalsIgnoreCase("http://www.w3.org/2000/09/xmldsig#Manifest")) {
                    signatureVerificationResult.getErrors().add(SignatureVerificationError.SIGNATURE_MANIFEST_COULD_NOT_BE_VERIFIED);
                }
            }
        }
    }

    private void verifyXmlDsigSignature(SignatureVerificationResult signatureVerificationResult, Element element, Document document, Map<String, Object> map) {
        try {
            String generateId = IdGeneratorFactory.getIdGenerator("uuid").generateId();
            XMLSignature xMLSignature = new XMLSignature(element, generateId);
            xMLSignature.setFollowNestedManifests(((Boolean) SignatureUtils.getOption(XadesOption.FOLLOWNESTEDMANIFEST, map, Boolean.FALSE)).booleanValue());
            xMLSignature.addResourceResolver(new DocumentResolver(generateId, document));
            KeyInfo keyInfo = xMLSignature.getKeyInfo();
            keyInfo.setSecureValidation(false);
            signatureVerificationResult.getCertChain().addAll(new ForkedExtractor(new X509DataExctractor(), new SecurityTokenReferenceExtractor()).extract(keyInfo));
            X509Certificate extractEndCertificate = extractEndCertificate(signatureVerificationResult.getCertChain());
            signatureVerificationResult.setSigningCert(extractEndCertificate);
            if (!xMLSignature.checkSignatureValue(extractEndCertificate)) {
                signatureVerificationResult.getErrors().add(SignatureVerificationError.SIGNATURE_COULD_NOT_BE_VERIFIED);
            }
        } catch (Exception e) {
            LOG.error("Unable to verify XmlDsig Signature", e);
            signatureVerificationResult.getErrors().add(SignatureVerificationError.SIGNATURE_COULD_NOT_BE_VERIFIED);
        }
    }

    private Element obtainSAMLTokenReference(SAMLToken sAMLToken) throws TechnicalConnectorException {
        return ConnectorXmlUtils.toDocument(ConnectorIOUtils.toBytes(StringUtils.replace(ConnectorIOUtils.getResourceAsString("/templates/keyinfo-saml1.1-reference.xml"), "${assertionId}", sAMLToken.getAssertion().getAttribute("AssertionID")), Charset.UTF_8)).getDocumentElement();
    }

    @Override // be.fgov.ehealth.technicalconnector.signature.SignatureBuilder
    public AdvancedElectronicSignatureEnumeration getSupportedAES() {
        return this.aes;
    }

    private static String ref(String str) {
        return "#" + str;
    }
}
