package net.shibboleth.metadata.dom.impl;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.annotation.concurrent.NotThreadSafe;
import javax.security.auth.x500.X500Principal;
import javax.xml.crypto.XMLStructure;
import javax.xml.crypto.dsig.DigestMethod;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.spec.DigestMethodParameterSpec;
import javax.xml.crypto.dsig.spec.ExcC14NParameterSpec;
import javax.xml.crypto.dsig.spec.SignatureMethodParameterSpec;
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
import javax.xml.namespace.QName;
import net.shibboleth.metadata.Item;
import net.shibboleth.metadata.dom.XMLSignatureSigningStage;
import net.shibboleth.metadata.dom.ds.XMLDSIGSupport;
import net.shibboleth.metadata.pipeline.StageProcessingException;
import net.shibboleth.shared.annotation.constraint.Live;
import net.shibboleth.shared.annotation.constraint.NonnullElements;
import net.shibboleth.shared.annotation.constraint.Unmodifiable;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.StringSupport;
import net.shibboleth.shared.xml.ElementSupport;
import net.shibboleth.shared.xml.QNameSupport;
import org.slf4j.Logger;
import org.w3c.dom.Attr;
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

@NotThreadSafe
/* loaded from: input_file:net/shibboleth/metadata/dom/impl/XMLSignatureSigner.class */
public class XMLSignatureSigner {

    @Nonnull
    private final Logger log;

    @Nonnull
    private final PrivateKey privKey;

    @Nullable
    private final PublicKey publicKey;

    @Unmodifiable
    @Nonnull
    @NonnullElements
    private final List<String> inclusivePrefixList;

    @Unmodifiable
    @Nonnull
    @NonnullElements
    private final List<QName> idAttributeNames;

    @Unmodifiable
    @Nonnull
    @NonnullElements
    private final List<String> keyNames;

    @Unmodifiable
    @Nonnull
    @NonnullElements
    private final List<X509Certificate> certificates;

    @Unmodifiable
    @Nonnull
    @NonnullElements
    private final List<X509CRL> crls;
    private final boolean includeKeyNames;
    private final boolean includeKeyValue;
    private final boolean includeX509SubjectName;
    private final boolean includeX509Certificates;
    private final boolean includeX509Crls;
    private final boolean includeX509IssuerSerial;
    private final boolean debugPreDigest;
    private final boolean removingCRsFromSignature;

    @Nonnull
    private final String c14nAlgo;

    @Nonnull
    private final String sigAlgo;

    @Nonnull
    private final String digestAlgo;

    @Nonnull
    private final XMLSignatureFactory xmlSigFactory = XMLSignatureFactory.getInstance();

    @Nonnull
    private final KeyInfoFactory keyInfoFactory = this.xmlSigFactory.getKeyInfoFactory();
    static final /* synthetic */ boolean $assertionsDisabled;

    public XMLSignatureSigner(@Nonnull XMLSignatureSigningStage xMLSignatureSigningStage, @Nonnull Logger logger) {
        this.log = logger;
        synchronized (xMLSignatureSigningStage) {
            boolean isC14nExclusive = xMLSignatureSigningStage.isC14nExclusive();
            boolean isC14nWithComments = xMLSignatureSigningStage.isC14nWithComments();
            if (isC14nExclusive) {
                if (isC14nWithComments) {
                    this.c14nAlgo = "http://www.w3.org/2001/10/xml-exc-c14n#WithComments";
                } else {
                    this.c14nAlgo = "http://www.w3.org/2001/10/xml-exc-c14n#";
                }
            } else if (isC14nWithComments) {
                this.c14nAlgo = "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments";
            } else {
                this.c14nAlgo = "http://www.w3.org/TR/2001/REC-xml-c14n-20010315";
            }
            switch (xMLSignatureSigningStage.getSHAVariant()) {
                case SHA1:
                    this.sigAlgo = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
                    this.digestAlgo = "http://www.w3.org/2000/09/xmldsig#sha1";
                    break;
                case SHA384:
                    this.sigAlgo = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384";
                    this.digestAlgo = "http://www.w3.org/2001/04/xmldsig-more#sha384";
                    break;
                case SHA512:
                    this.sigAlgo = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512";
                    this.digestAlgo = "http://www.w3.org/2001/04/xmlenc#sha512";
                    break;
                case SHA256:
                default:
                    this.sigAlgo = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
                    this.digestAlgo = "http://www.w3.org/2001/04/xmlenc#sha256";
                    break;
            }
            this.privKey = (PrivateKey) Constraint.isNotNull(xMLSignatureSigningStage.getPrivateKey(), "privateKey may not be null");
            this.publicKey = xMLSignatureSigningStage.getPublicKey();
            this.inclusivePrefixList = xMLSignatureSigningStage.getInclusivePrefixList();
            this.idAttributeNames = xMLSignatureSigningStage.getIdAttributeNames();
            this.keyNames = xMLSignatureSigningStage.getKeyNames();
            this.certificates = xMLSignatureSigningStage.getCertificates();
            this.crls = xMLSignatureSigningStage.getCrls();
            this.includeKeyNames = xMLSignatureSigningStage.isIncludeKeyNames();
            this.includeKeyValue = xMLSignatureSigningStage.isIncludeKeyValue();
            this.includeX509SubjectName = xMLSignatureSigningStage.isIncludeX509SubjectName();
            this.includeX509Certificates = xMLSignatureSigningStage.isIncludeX509Certificates();
            this.includeX509Crls = xMLSignatureSigningStage.isIncludeX509Crls();
            this.includeX509IssuerSerial = xMLSignatureSigningStage.isIncludeX509IssuerSerial();
            this.debugPreDigest = xMLSignatureSigningStage.isDebugPreDigest() && this.log.isDebugEnabled();
            this.removingCRsFromSignature = xMLSignatureSigningStage.isRemovingCRsFromSignature();
        }
    }

    public void sign(@Nonnull Item<Element> item) throws StageProcessingException {
        Element unwrap = item.unwrap();
        XMLSignature newXMLSignature = this.xmlSigFactory.newXMLSignature(buildSignedInfo(unwrap), buildKeyInfo());
        DOMSignContext dOMSignContext = new DOMSignContext(this.privKey, unwrap, unwrap.getFirstChild());
        if (this.debugPreDigest) {
            dOMSignContext.setProperty("javax.xml.crypto.dsig.cacheReference", Boolean.TRUE);
        }
        try {
            newXMLSignature.sign(dOMSignContext);
            try {
                if (this.debugPreDigest) {
                    this.log.debug("pre digest: {}", new String(((Reference) newXMLSignature.getSignedInfo().getReferences().get(0)).getDigestInputStream().readAllBytes(), StandardCharsets.UTF_8));
                }
                if (this.removingCRsFromSignature) {
                    Element firstChildElement = ElementSupport.getFirstChildElement(unwrap, XMLDSIGSupport.SIGNATURE_NAME);
                    if (!$assertionsDisabled && firstChildElement == null) {
                        throw new AssertionError();
                    }
                    removeCRsFromNamedChildren(firstChildElement, "SignatureValue");
                    removeCRsFromNamedChildren(firstChildElement, "X509Certificate");
                }
            } catch (IOException e) {
                throw new StageProcessingException("Unable to log pre-digest data", e);
            }
        } catch (Exception e2) {
            throw new StageProcessingException("Unable to create signature for element", e2);
        }
    }

    @Nonnull
    protected SignedInfo buildSignedInfo(@Nonnull Element element) throws StageProcessingException {
        ExcC14NParameterSpec excC14NParameterSpec = null;
        if (this.c14nAlgo.startsWith("http://www.w3.org/2001/10/xml-exc-c14n#") && this.inclusivePrefixList != null && !this.inclusivePrefixList.isEmpty()) {
            excC14NParameterSpec = new ExcC14NParameterSpec(this.inclusivePrefixList);
        }
        try {
            try {
                SignedInfo newSignedInfo = this.xmlSigFactory.newSignedInfo(this.xmlSigFactory.newCanonicalizationMethod(this.c14nAlgo, excC14NParameterSpec), this.xmlSigFactory.newSignatureMethod(this.sigAlgo, (SignatureMethodParameterSpec) null), Collections.singletonList(buildSignatureReference(element)));
                if ($assertionsDisabled || newSignedInfo != null) {
                    return newSignedInfo;
                }
                throw new AssertionError();
            } catch (Exception e) {
                throw new StageProcessingException("Unable to create signature method " + this.sigAlgo, e);
            }
        } catch (Exception e2) {
            throw new StageProcessingException("Unable to create transform " + this.c14nAlgo, e2);
        }
    }

    @Nonnull
    protected Reference buildSignatureReference(@Nonnull Element element) throws StageProcessingException {
        String elementId = getElementId(element);
        String str = elementId == null ? "" : "#" + elementId;
        try {
            DigestMethod newDigestMethod = this.xmlSigFactory.newDigestMethod(this.digestAlgo, (DigestMethodParameterSpec) null);
            ArrayList arrayList = new ArrayList();
            try {
                ExcC14NParameterSpec excC14NParameterSpec = null;
                arrayList.add(this.xmlSigFactory.newTransform("http://www.w3.org/2000/09/xmldsig#enveloped-signature", (TransformParameterSpec) null));
                try {
                    if (this.c14nAlgo.startsWith("http://www.w3.org/2001/10/xml-exc-c14n#") && this.inclusivePrefixList != null && !this.inclusivePrefixList.isEmpty()) {
                        excC14NParameterSpec = new ExcC14NParameterSpec(this.inclusivePrefixList);
                    }
                    arrayList.add(this.xmlSigFactory.newTransform(this.c14nAlgo, excC14NParameterSpec));
                    Reference newReference = this.xmlSigFactory.newReference(str, newDigestMethod, arrayList, (String) null, (String) null);
                    if ($assertionsDisabled || newReference != null) {
                        return newReference;
                    }
                    throw new AssertionError();
                } catch (Exception e) {
                    throw new StageProcessingException("Unable to create transform " + this.c14nAlgo, e);
                }
            } catch (Exception e2) {
                throw new StageProcessingException("Unable to create transform http://www.w3.org/2000/09/xmldsig#enveloped-signature", e2);
            }
        } catch (Exception e3) {
            throw new StageProcessingException("Unable to create digest method " + this.digestAlgo, e3);
        }
    }

    @Nullable
    protected String getElementId(@Nonnull Element element) {
        String trimOrNull;
        NamedNodeMap attributes = element.getAttributes();
        if (attributes == null || attributes.getLength() < 1) {
            return null;
        }
        if (this.idAttributeNames != null && !this.idAttributeNames.isEmpty()) {
            for (int i = 0; i < attributes.getLength(); i++) {
                Attr attr = (Attr) attributes.item(i);
                if (!$assertionsDisabled && attr == null) {
                    throw new AssertionError();
                }
                if (this.idAttributeNames.contains(QNameSupport.getNodeQName(attr))) {
                    element.setIdAttributeNode(attr, true);
                    String trimOrNull2 = StringSupport.trimOrNull(attr.getValue());
                    if (trimOrNull2 != null) {
                        return trimOrNull2;
                    }
                }
            }
        }
        for (int i2 = 0; i2 < attributes.getLength(); i2++) {
            Attr attr2 = (Attr) attributes.item(i2);
            if (attr2.isId() && (trimOrNull = StringSupport.trimOrNull(attr2.getValue())) != null) {
                return trimOrNull;
            }
        }
        return null;
    }

    @Nullable
    protected KeyInfo buildKeyInfo() throws StageProcessingException {
        ArrayList arrayList = new ArrayList();
        addKeyNames(arrayList);
        addKeyValue(arrayList);
        addX509Data(arrayList);
        if (arrayList.isEmpty()) {
            return null;
        }
        return this.keyInfoFactory.newKeyInfo(arrayList);
    }

    protected void addKeyNames(@Nonnull @Live @NonnullElements List<XMLStructure> list) throws StageProcessingException {
        if (!this.includeKeyNames || this.keyNames == null || this.keyNames.isEmpty()) {
            return;
        }
        Iterator<String> it = this.keyNames.iterator();
        while (it.hasNext()) {
            list.add(this.keyInfoFactory.newKeyName(it.next()));
        }
    }

    protected void addKeyValue(@Nonnull @Live @NonnullElements List<XMLStructure> list) throws StageProcessingException {
        if (this.includeKeyValue) {
            PublicKey publicKey = this.publicKey;
            if (publicKey == null && !this.certificates.isEmpty()) {
                publicKey = this.certificates.get(0).getPublicKey();
            }
            if (publicKey != null) {
                try {
                    list.add(this.keyInfoFactory.newKeyValue(publicKey));
                } catch (Exception e) {
                    throw new StageProcessingException("Unable to create KeyValue", e);
                }
            }
        }
    }

    protected void addX509Data(@Nonnull @Live @NonnullElements List<XMLStructure> list) {
        ArrayList arrayList = new ArrayList();
        if (this.certificates != null && !this.certificates.isEmpty()) {
            X509Certificate x509Certificate = this.certificates.get(0);
            if (this.includeX509SubjectName) {
                arrayList.add(x509Certificate.getSubjectX500Principal().getName("RFC2253"));
            }
            if (this.includeX509Certificates) {
                arrayList.addAll(this.certificates);
            }
            if (this.includeX509IssuerSerial) {
                X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
                arrayList.add(this.keyInfoFactory.newX509IssuerSerial(issuerX500Principal.getName("RFC2253"), x509Certificate.getSerialNumber()));
            }
        }
        if (this.includeX509Crls && this.crls != null && !this.crls.isEmpty()) {
            arrayList.add(this.crls);
        }
        if (arrayList.isEmpty()) {
            return;
        }
        list.add(this.keyInfoFactory.newX509Data(arrayList));
    }

    private void removeCRsFromNamedChildren(@Nonnull Element element, @Nonnull String str) {
        NodeList elementsByTagNameNS = element.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", str);
        for (int i = 0; i < elementsByTagNameNS.getLength(); i++) {
            Node item = elementsByTagNameNS.item(i);
            String textContent = item.getTextContent();
            if (textContent.indexOf(13) >= 0) {
                item.setTextContent(textContent.replaceAll("\\r", ""));
            }
        }
    }

    static {
        $assertionsDisabled = !XMLSignatureSigner.class.desiredAssertionStatus();
    }
}
