package be.fgov.ehealth.technicalconnector.signature.impl;

import be.ehealth.technicalconnector.exception.TechnicalConnectorException;
import be.ehealth.technicalconnector.exception.TechnicalConnectorExceptionValues;
import be.ehealth.technicalconnector.idgenerator.IdGeneratorFactory;
import be.ehealth.technicalconnector.service.sts.security.Credential;
import be.ehealth.technicalconnector.utils.ConnectorXmlUtils;
import be.fgov.ehealth.technicalconnector.signature.AdvancedElectronicSignatureEnumeration;
import be.fgov.ehealth.technicalconnector.signature.SignatureBuilder;
import be.fgov.ehealth.technicalconnector.signature.domain.SignatureVerificationError;
import be.fgov.ehealth.technicalconnector.signature.domain.SignatureVerificationResult;
import be.fgov.ehealth.technicalconnector.signature.domain.XadesOption;
import be.fgov.ehealth.technicalconnector.signature.impl.extractor.X509DataExctractor;
import be.fgov.ehealth.technicalconnector.signature.impl.xades.XadesHandler;
import be.fgov.ehealth.technicalconnector.signature.impl.xades.XadesSpecification;
import be.fgov.ehealth.technicalconnector.signature.resolvers.DocumentResolver;
import be.fgov.ehealth.technicalconnector.signature.transformers.EncapsulationTransformer;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathExpressionException;
import javax.xml.xpath.XPathFactory;
import org.apache.commons.lang.StringUtils;
import org.apache.xml.security.Init;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.keys.content.X509Data;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.transforms.TransformationException;
import org.apache.xml.security.transforms.Transforms;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* loaded from: input_file:be/fgov/ehealth/technicalconnector/signature/impl/XmlSignatureBuilder.class */
public class XmlSignatureBuilder extends AbstractSignatureBuilder implements SignatureBuilder {
    public static final String XMLNS_DS = "http://www.w3.org/2000/09/xmldsig#";
    private static final Logger LOG = LoggerFactory.getLogger(XmlSignatureBuilder.class);
    private XadesSpecification[] specs;
    private AdvancedElectronicSignatureEnumeration aes;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:be/fgov/ehealth/technicalconnector/signature/impl/XmlSignatureBuilder$PassthroughEncapsulationTransformer.class */
    public static class PassthroughEncapsulationTransformer implements EncapsulationTransformer {
        private PassthroughEncapsulationTransformer() {
        }

        @Override // be.fgov.ehealth.technicalconnector.signature.transformers.EncapsulationTransformer
        public Node transform(Node node) {
            return node;
        }
    }

    public XmlSignatureBuilder(AdvancedElectronicSignatureEnumeration advancedElectronicSignatureEnumeration, XadesSpecification... xadesSpecificationArr) {
        this.specs = xadesSpecificationArr;
        this.aes = advancedElectronicSignatureEnumeration;
    }

    private static void addKeyInfo(Credential credential, XMLSignature xMLSignature) throws TechnicalConnectorException, XMLSecurityException {
        if (credential.getCertificateChain() != null) {
            for (Certificate certificate : credential.getCertificateChain()) {
                if (xMLSignature.getKeyInfo().itemX509Data(0) == null) {
                    xMLSignature.getKeyInfo().add(new X509Data(xMLSignature.getDocument()));
                }
                xMLSignature.getKeyInfo().itemX509Data(0).addCertificate((X509Certificate) certificate);
            }
        }
    }

    private static boolean mustEncapsulate(List<String> list) {
        return list.contains("http://www.w3.org/2000/09/xmldsig#enveloped-signature");
    }

    private static List<String> getTransformerList(Map<String, Object> map) {
        boolean booleanValue = ((Boolean) SignatureUtils.getOption("encapsulate", map, Boolean.FALSE)).booleanValue();
        List<String> list = (List) SignatureUtils.getOption(XadesOption.TRANSFORMERLIST, map, new ArrayList());
        if (booleanValue && !list.contains("http://www.w3.org/2000/09/xmldsig#enveloped-signature")) {
            list.add(0, "http://www.w3.org/2000/09/xmldsig#enveloped-signature");
        }
        return list;
    }

    private static byte[] transform(boolean z, String str, EncapsulationTransformer encapsulationTransformer, Document document, XMLSignature xMLSignature) {
        if (!z) {
            return ConnectorXmlUtils.toByteArray(xMLSignature.getElement());
        }
        Node adoptNode = document.adoptNode(encapsulationTransformer.transform(xMLSignature.getElement()));
        Node node = null;
        if (StringUtils.isNotBlank(str)) {
            try {
                NodeList nodeList = (NodeList) XPathFactory.newInstance().newXPath().evaluate(str, document.getDocumentElement(), XPathConstants.NODESET);
                if (nodeList.getLength() == 1) {
                    LOG.debug("1 node found, inserting at location [" + str + "]");
                    node = nodeList.item(0);
                } else {
                    LOG.warn("XPATH error: " + nodeList.getLength() + "found at location [" + str + "],using default.");
                }
            } catch (XPathExpressionException e) {
                LOG.info("Unable to determine XPath Location, using default.", e);
            }
        } else {
            LOG.debug("Using default location (last child tag)");
        }
        document.getFirstChild().insertBefore(adoptNode, node);
        return ConnectorXmlUtils.toByteArray(document);
    }

    private static Transforms transforms(List<String> list, Document document) throws TransformationException {
        Transforms transforms = new Transforms(document);
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            transforms.addTransform(it.next());
        }
        return transforms;
    }

    private static String ref(String str) {
        return "#" + str;
    }

    @Override // be.fgov.ehealth.technicalconnector.signature.SignatureBuilder
    public byte[] sign(Credential credential, byte[] bArr) throws TechnicalConnectorException {
        return sign(credential, bArr, new HashMap());
    }

    @Override // be.fgov.ehealth.technicalconnector.signature.SignatureBuilder
    public byte[] sign(Credential credential, byte[] bArr, Map<String, Object> map) throws TechnicalConnectorException {
        HashMap hashMap = new HashMap();
        if (map != null) {
            hashMap.putAll(map);
        }
        validateInput(credential, bArr);
        try {
            String str = "xmldsig-" + IdGeneratorFactory.getIdGenerator("uuid").generateId();
            String str2 = (String) SignatureUtils.getOption(XadesOption.BASEURI, hashMap, "");
            String str3 = (String) SignatureUtils.getOption(XadesOption.SIGNATUREMETHODURI, hashMap, determineDefaultAlgo(credential));
            String str4 = (String) SignatureUtils.getOption(XadesOption.CANONICALIZATIONMETHODURI, hashMap, "http://www.w3.org/2001/10/xml-exc-c14n#");
            String str5 = (String) SignatureUtils.getOption(XadesOption.DIGESTURI, hashMap, "http://www.w3.org/2001/04/xmlenc#sha256");
            String str6 = (String) SignatureUtils.getOption(XadesOption.ENCAPSULATE_XPATH, hashMap, null);
            EncapsulationTransformer encapsulationTransformer = (EncapsulationTransformer) SignatureUtils.getOption(XadesOption.ENCAPSULATE_TRANSFORMER, hashMap, new PassthroughEncapsulationTransformer());
            List<String> transformerList = getTransformerList(hashMap);
            Document document = ConnectorXmlUtils.toDocument(bArr);
            XMLSignature xMLSignature = new XMLSignature(document, str2, str3, str4);
            xMLSignature.addResourceResolver(new DocumentResolver(document));
            xMLSignature.addDocument(ref(str2), transforms(transformerList, document), str5);
            addKeyInfo(credential, xMLSignature);
            XadesHandler xadesHandler = new XadesHandler(xMLSignature, credential, map, this.specs);
            xadesHandler.before();
            xMLSignature.sign(credential.getPrivateKey());
            xMLSignature.setId(str);
            xadesHandler.after();
            return transform(mustEncapsulate(transformerList), str6, encapsulationTransformer, document, xMLSignature);
        } catch (Exception e) {
            throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.ERROR_GENERAL, e, new Object[]{e.getMessage()});
        }
    }

    @Override // be.fgov.ehealth.technicalconnector.signature.SignatureBuilder
    public SignatureVerificationResult verify(byte[] bArr, Map<String, Object> map) throws TechnicalConnectorException {
        Document document = ConnectorXmlUtils.toDocument(bArr);
        NodeList matchingChilds = DomUtils.getMatchingChilds(document, XMLNS_DS, "Signature");
        if (matchingChilds != null && matchingChilds.getLength() != 0) {
            if (matchingChilds.getLength() > 1) {
                LOG.info("Multiple signature found, using first one.");
            }
            return verify(document, (Element) matchingChilds.item(0), map);
        }
        LOG.info("No signature found in signedContent");
        SignatureVerificationResult signatureVerificationResult = new SignatureVerificationResult();
        signatureVerificationResult.addError(SignatureVerificationError.SIGNATURE_NOT_PRESENT);
        return signatureVerificationResult;
    }

    @Override // be.fgov.ehealth.technicalconnector.signature.SignatureBuilder
    public SignatureVerificationResult verify(byte[] bArr, byte[] bArr2, Map<String, Object> map) throws TechnicalConnectorException {
        return verify(ConnectorXmlUtils.toDocument(bArr), ConnectorXmlUtils.toElement(bArr2), map);
    }

    @Override // be.fgov.ehealth.technicalconnector.signature.SignatureBuilder
    public SignatureVerificationResult verify(Document document, Element element, Map<String, Object> map) throws TechnicalConnectorException {
        HashMap hashMap = new HashMap();
        if (map != null) {
            hashMap.putAll(map);
        }
        SignatureVerificationResult signatureVerificationResult = new SignatureVerificationResult();
        NodeList matchingChilds = DomUtils.getMatchingChilds(document, XMLNS_DS, "Signature");
        if (matchingChilds == null || matchingChilds.getLength() == 0) {
            LOG.info("Adding signature to signedContent");
            document.getFirstChild().appendChild(document.importNode(element, true));
        }
        verifyXmlDsigSignature(signatureVerificationResult, element, document, hashMap);
        verifyManifest(signatureVerificationResult, element, hashMap);
        for (XadesSpecification xadesSpecification : this.specs) {
            xadesSpecification.verify(signatureVerificationResult, element);
        }
        validateChain(signatureVerificationResult, map);
        return signatureVerificationResult;
    }

    private void verifyManifest(SignatureVerificationResult signatureVerificationResult, Element element, Map<String, Object> map) {
        if (((Boolean) SignatureUtils.getOption(XadesOption.FOLLOWNESTEDMANIFEST, map, Boolean.FALSE)).booleanValue()) {
            NodeList matchingChilds = DomUtils.getMatchingChilds((Element) DomUtils.getMatchingChilds(element, XMLNS_DS, "SignedInfo").item(0), XMLNS_DS, "Reference");
            for (int i = 0; i < matchingChilds.getLength(); i++) {
                String attribute = ((Element) matchingChilds.item(i)).getAttribute("Type");
                if (attribute.endsWith("Manifest") && !attribute.equalsIgnoreCase("http://www.w3.org/2000/09/xmldsig#Manifest")) {
                    signatureVerificationResult.addError(SignatureVerificationError.SIGNATURE_MANIFEST_COULD_NOT_BE_VERIFIED);
                }
            }
        }
    }

    private void verifyXmlDsigSignature(SignatureVerificationResult signatureVerificationResult, Element element, Document document, Map<String, Object> map) {
        try {
            XMLSignature xMLSignature = new XMLSignature(element, IdGeneratorFactory.getIdGenerator("uuid").generateId());
            xMLSignature.setFollowNestedManifests(((Boolean) SignatureUtils.getOption(XadesOption.FOLLOWNESTEDMANIFEST, map, Boolean.FALSE)).booleanValue());
            xMLSignature.addResourceResolver(new DocumentResolver(document));
            KeyInfo keyInfo = xMLSignature.getKeyInfo();
            keyInfo.setSecureValidation(false);
            signatureVerificationResult.getCertChain().addAll(new X509DataExctractor().extract(keyInfo));
            X509Certificate extractEndCertificate = extractEndCertificate(signatureVerificationResult.getCertChain());
            signatureVerificationResult.setSigningCert(extractEndCertificate);
            if (!xMLSignature.checkSignatureValue(extractEndCertificate)) {
                signatureVerificationResult.addError(SignatureVerificationError.SIGNATURE_COULD_NOT_BE_VERIFIED);
            }
        } catch (Exception e) {
            LOG.error("Unable to verify XmlDsig Signature", e);
            signatureVerificationResult.addError(SignatureVerificationError.SIGNATURE_COULD_NOT_BE_VERIFIED);
        }
    }

    @Override // be.fgov.ehealth.technicalconnector.signature.SignatureBuilder
    public AdvancedElectronicSignatureEnumeration getSupportedAES() {
        return this.aes;
    }

    static {
        if (Init.isInitialized()) {
            return;
        }
        Init.init();
    }
}
