package nl.clockwork.ebms.signing;

import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import nl.clockwork.ebms.common.CPAManager;
import nl.clockwork.ebms.common.KeyStoreManager;
import nl.clockwork.ebms.common.util.SecurityUtils;
import nl.clockwork.ebms.model.CacheablePartyId;
import nl.clockwork.ebms.model.EbMSAttachment;
import nl.clockwork.ebms.model.EbMSMessage;
import nl.clockwork.ebms.util.CPAUtils;
import nl.clockwork.ebms.validation.ValidationException;
import nl.clockwork.ebms.validation.ValidatorException;
import nl.clockwork.ebms.xml.dsig.EbMSAttachmentResolver;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.signature.XMLSignatureException;
import org.oasis_open.committees.ebxml_cppa.schema.cpp_cpa_2_0.DeliveryChannel;
import org.oasis_open.committees.ebxml_msg.schema.msg_header_2_0.MessageHeader;
import org.springframework.beans.factory.InitializingBean;
import org.w3._2000._09.xmldsig.ReferenceType;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;

/* loaded from: input_file:nl/clockwork/ebms/signing/EbMSSignatureValidator.class */
public class EbMSSignatureValidator implements InitializingBean {
    protected transient Log logger = LogFactory.getLog(getClass());
    private CPAManager cpaManager;
    private String trustStorePath;
    private String trustStorePassword;
    private KeyStore trustStore;

    @Override // org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() throws Exception {
        this.trustStore = KeyStoreManager.getKeyStore(this.trustStorePath, this.trustStorePassword);
    }

    public void validate(EbMSMessage ebMSMessage) throws ValidatorException, ValidationException {
        try {
            if (this.cpaManager.isNonRepudiationRequired(ebMSMessage.getMessageHeader().getCPAId(), new CacheablePartyId(ebMSMessage.getMessageHeader().getFrom().getPartyId()), ebMSMessage.getMessageHeader().getFrom().getRole(), CPAUtils.toString(ebMSMessage.getMessageHeader().getService()), ebMSMessage.getMessageHeader().getAction())) {
                NodeList elementsByTagNameNS = ebMSMessage.getMessage().getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
                if (elementsByTagNameNS.getLength() <= 0) {
                    throw new ValidationException("Signature not found!");
                }
                X509Certificate certificate = getCertificate(ebMSMessage.getMessageHeader());
                if (certificate == null) {
                    throw new ValidationException("Certificate not found!");
                }
                SecurityUtils.validateCertificate(this.trustStore, certificate, ebMSMessage.getMessageHeader().getMessageData().getTimestamp() == null ? new Date() : ebMSMessage.getMessageHeader().getMessageData().getTimestamp());
                if (!verify(certificate, (Element) elementsByTagNameNS.item(0), ebMSMessage.getAttachments())) {
                    throw new ValidationException("Invalid Signature!");
                }
            }
        } catch (GeneralSecurityException e) {
            throw new ValidatorException(e);
        } catch (XMLSecurityException e2) {
            throw new ValidationException(e2);
        }
    }

    public void validate(EbMSMessage ebMSMessage, EbMSMessage ebMSMessage2) throws ValidatorException, ValidationException {
        try {
            if (ebMSMessage.getAckRequested().isSigned()) {
                NodeList elementsByTagNameNS = ebMSMessage2.getMessage().getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
                if (elementsByTagNameNS.getLength() <= 0) {
                    throw new ValidationException("Signature not found!");
                }
                X509Certificate certificate = getCertificate(ebMSMessage2.getMessageHeader());
                if (certificate == null) {
                    throw new ValidationException("Certificate not found!");
                }
                SecurityUtils.validateCertificate(this.trustStore, certificate, ebMSMessage2.getMessageHeader().getMessageData().getTimestamp() == null ? new Date() : ebMSMessage2.getMessageHeader().getMessageData().getTimestamp());
                if (!verify(certificate, (Element) elementsByTagNameNS.item(0), new ArrayList())) {
                    throw new ValidationException("Invalid Signature!");
                }
                validateSignatureReferences(ebMSMessage, ebMSMessage2);
            }
        } catch (KeyStoreException e) {
            throw new ValidatorException(e);
        } catch (XMLSecurityException e2) {
            throw new ValidationException(e2);
        }
    }

    private boolean verify(X509Certificate x509Certificate, Element element, List<EbMSAttachment> list) throws XMLSignatureException, XMLSecurityException {
        XMLSignature xMLSignature = new XMLSignature(element, "http://www.w3.org/2000/09/xmldsig#");
        xMLSignature.addResourceResolver(new EbMSAttachmentResolver(list));
        return xMLSignature.checkSignatureValue(x509Certificate);
    }

    private X509Certificate getCertificate(MessageHeader messageHeader) {
        try {
            DeliveryChannel sendDeliveryChannel = this.cpaManager.getSendDeliveryChannel(messageHeader.getCPAId(), new CacheablePartyId(messageHeader.getFrom().getPartyId()), messageHeader.getFrom().getRole(), CPAUtils.toString(messageHeader.getService()), messageHeader.getAction());
            if (sendDeliveryChannel != null) {
                return CPAUtils.getX509Certificate(CPAUtils.getSigningCertificate(sendDeliveryChannel));
            }
            return null;
        } catch (CertificateException e) {
            this.logger.warn("", e);
            return null;
        }
    }

    private void validateSignatureReferences(EbMSMessage ebMSMessage, EbMSMessage ebMSMessage2) throws ValidationException {
        if (ebMSMessage.getSignature().getSignedInfo().getReference() == null || ebMSMessage.getSignature().getSignedInfo().getReference().size() == 0) {
            throw new ValidationException("No signature references found in request message " + ebMSMessage.getMessageHeader().getMessageData().getMessageId());
        }
        if (ebMSMessage2.getAcknowledgment().getReference() == null || ebMSMessage2.getAcknowledgment().getReference().size() == 0) {
            throw new ValidationException("No signature references found in response message " + ebMSMessage2.getMessageHeader().getMessageData().getMessageId());
        }
        if (ebMSMessage.getSignature().getSignedInfo().getReference().size() != ebMSMessage2.getAcknowledgment().getReference().size()) {
            throw new ValidationException("Nr of signature references found in request message " + ebMSMessage.getMessageHeader().getMessageData().getMessageId() + " and response message " + ebMSMessage2.getMessageHeader().getMessageData().getMessageId() + " do not match");
        }
        for (ReferenceType referenceType : ebMSMessage.getSignature().getSignedInfo().getReference()) {
            boolean z = false;
            Iterator<ReferenceType> it = ebMSMessage2.getAcknowledgment().getReference().iterator();
            while (it.hasNext()) {
                z = equals(referenceType, it.next());
                if (z) {
                    break;
                }
            }
            if (!z) {
                throw new ValidationException("Signature references found in request message " + ebMSMessage.getMessageHeader().getMessageData().getMessageId() + " and response message " + ebMSMessage2.getMessageHeader().getMessageData().getMessageId() + " do not match");
            }
        }
    }

    private boolean equals(ReferenceType referenceType, ReferenceType referenceType2) {
        return referenceType.getURI().equals(referenceType2.getURI()) && Arrays.equals(referenceType.getDigestValue(), referenceType2.getDigestValue());
    }

    public void setCpaManager(CPAManager cPAManager) {
        this.cpaManager = cPAManager;
    }

    public void setTrustStorePath(String str) {
        this.trustStorePath = str;
    }

    public void setTrustStorePassword(String str) {
        this.trustStorePassword = str;
    }
}
