package gov.nist.secautotrust.signature;

import gov.nist.secautotrust.signature.config.ValidateSigConfig;
import gov.nist.secautotrust.signature.exception.TMSADException;
import gov.nist.secautotrust.signature.model.IReferenceValidationResult;
import gov.nist.secautotrust.signature.model.ISignatureValidationResult;
import gov.nist.secautotrust.signer.MappedURIDereferencer;
import gov.nist.secautotrust.util.Util;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import javax.xml.crypto.KeySelector;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.dom.DOMStructure;
import javax.xml.crypto.dsig.Manifest;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.XMLObject;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureException;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyValue;
import javax.xml.crypto.dsig.keyinfo.X509Data;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.xml.sax.SAXException;

/* loaded from: input_file:gov/nist/secautotrust/signature/XMLValidator.class */
public class XMLValidator {
    private XMLSignatureFactory factory = XMLSignatureFactory.getInstance("DOM");
    private UriResolver resolver;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:gov/nist/secautotrust/signature/XMLValidator$ReferenceValidationResult.class */
    public static class ReferenceValidationResult implements IReferenceValidationResult {
        private String refUri = null;
        private boolean isRefValid = false;

        private ReferenceValidationResult() {
        }

        public void setRefUri(String str) {
            this.refUri = str;
        }

        public void setRefValid(boolean z) {
            this.isRefValid = z;
        }

        @Override // gov.nist.secautotrust.signature.model.IReferenceValidationResult
        public String getReferenceURI() {
            return this.refUri;
        }

        @Override // gov.nist.secautotrust.signature.model.IReferenceValidationResult
        public boolean isReferenceDigestValid() {
            return this.isRefValid;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:gov/nist/secautotrust/signature/XMLValidator$SignatureValidationResult.class */
    public static class SignatureValidationResult implements ISignatureValidationResult {
        private boolean isSignatureValid = false;
        private String signatureId = null;
        private List<IReferenceValidationResult> sigRefs = null;
        private List<List<IReferenceValidationResult>> maniRefs = null;

        private SignatureValidationResult() {
        }

        public void setSigRefs(List<IReferenceValidationResult> list) {
            this.sigRefs = list;
        }

        public void setManiRefs(List<List<IReferenceValidationResult>> list) {
            this.maniRefs = list;
        }

        public void setSignatureValid(boolean z) {
            this.isSignatureValid = z;
        }

        public void setSignatureId(String str) {
            this.signatureId = str;
        }

        @Override // gov.nist.secautotrust.signature.model.ISignatureValidationResult
        public List<List<IReferenceValidationResult>> getManifestsReferenceResults() {
            return this.maniRefs;
        }

        @Override // gov.nist.secautotrust.signature.model.ISignatureValidationResult
        public List<IReferenceValidationResult> getSignatureReferenceResults() {
            return this.sigRefs;
        }

        @Override // gov.nist.secautotrust.signature.model.ISignatureValidationResult
        public boolean isSignatureValid() {
            return this.isSignatureValid;
        }

        @Override // gov.nist.secautotrust.signature.model.ISignatureValidationResult
        public String getSignatureId() {
            return this.signatureId;
        }
    }

    public static List<ISignatureValidationResult> validateContent(ValidateSigConfig validateSigConfig) throws TMSADException, ParserConfigurationException, IOException, SAXException, XMLSignatureException {
        DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
        newInstance.setNamespaceAware(true);
        Document parse = newInstance.newDocumentBuilder().parse(validateSigConfig.getContent());
        Util.setIdOnDOM(parse, new HashSet());
        XMLValidator xMLValidator = new XMLValidator(validateSigConfig.getResolver());
        LinkedList linkedList = new LinkedList();
        if (validateSigConfig.getContent() != null) {
            NodeList signatureElements = getSignatureElements(parse);
            int length = signatureElements.getLength();
            for (int i = 0; i < length; i++) {
                linkedList.add(xMLValidator.validateSignature(signatureElements.item(i), validateSigConfig.getTrustedPublicKey()));
            }
        } else {
            Iterator<Node> it = validateSigConfig.getSignatureNodes().iterator();
            while (it.hasNext()) {
                linkedList.add(xMLValidator.validateSignature(it.next(), validateSigConfig.getTrustedPublicKey()));
            }
        }
        return linkedList;
    }

    private static NodeList getSignatureElements(Document document) throws XMLSignatureException {
        NodeList elementsByTagNameNS = document.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
        if (elementsByTagNameNS.getLength() == 0) {
            throw new XMLSignatureException("Cannot find Signature element");
        }
        return elementsByTagNameNS;
    }

    private XMLValidator(UriResolver uriResolver) {
        this.resolver = uriResolver;
    }

    private ISignatureValidationResult validateSignature(Node node, PublicKey publicKey) throws TMSADException {
        try {
            PublicKey[] buildAndVerifyCertificateChain = buildAndVerifyCertificateChain((Element) node);
            if (!isSameKey(buildAndVerifyCertificateChain[0], publicKey)) {
                throw new SignatureException("The root of the certificate chain is not trusted.");
            }
            DOMValidateContext dOMValidateContext = new DOMValidateContext(KeySelector.singletonKeySelector(buildAndVerifyCertificateChain[1]), node);
            if (this.resolver != null) {
                dOMValidateContext.setURIDereferencer(new MappedURIDereferencer(this.factory.getURIDereferencer(), this.resolver));
            }
            XMLSignature unmarshalXMLSignature = this.factory.unmarshalXMLSignature(dOMValidateContext);
            unmarshalXMLSignature.validate(dOMValidateContext);
            boolean validate = unmarshalXMLSignature.getSignatureValue().validate(dOMValidateContext);
            SignatureValidationResult signatureValidationResult = new SignatureValidationResult();
            signatureValidationResult.setSignatureValid(validate);
            signatureValidationResult.setSignatureId(unmarshalXMLSignature.getId());
            List references = unmarshalXMLSignature.getSignedInfo().getReferences();
            LinkedList linkedList = new LinkedList();
            for (Object obj : references) {
                if (obj instanceof Reference) {
                    boolean validate2 = ((Reference) obj).validate(dOMValidateContext);
                    ReferenceValidationResult referenceValidationResult = new ReferenceValidationResult();
                    referenceValidationResult.setRefUri(((Reference) obj).getURI());
                    referenceValidationResult.setRefValid(validate2);
                    linkedList.add(referenceValidationResult);
                }
            }
            signatureValidationResult.setSigRefs(linkedList);
            List objects = unmarshalXMLSignature.getObjects();
            LinkedList linkedList2 = new LinkedList();
            for (Object obj2 : objects) {
                if (obj2 instanceof XMLObject) {
                    for (Object obj3 : ((XMLObject) obj2).getContent()) {
                        if (obj3 instanceof Manifest) {
                            LinkedList linkedList3 = new LinkedList();
                            for (Object obj4 : ((Manifest) obj3).getReferences()) {
                                if (obj4 instanceof Reference) {
                                    boolean validate3 = ((Reference) obj4).validate(dOMValidateContext);
                                    ReferenceValidationResult referenceValidationResult2 = new ReferenceValidationResult();
                                    referenceValidationResult2.setRefUri(((Reference) obj4).getURI());
                                    referenceValidationResult2.setRefValid(validate3);
                                    linkedList3.add(referenceValidationResult2);
                                }
                            }
                            linkedList2.add(linkedList3);
                        }
                    }
                }
            }
            signatureValidationResult.setManiRefs(linkedList2);
            return signatureValidationResult;
        } catch (Exception e) {
            TMSADException tMSADException = new TMSADException(e.getMessage());
            tMSADException.initCause(e);
            throw tMSADException;
        }
    }

    private PublicKey[] buildAndVerifyCertificateChain(Element element) throws XMLSignatureException, MarshalException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, NoSuchProviderException, CertPathBuilderException, CertificateException, SignatureException, KeyException {
        NodeList elementsByTagNameNS = element.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "KeyInfo");
        if (elementsByTagNameNS.getLength() == 0) {
            throw new XMLSignatureException("Cannot find KeyInfo element");
        }
        KeyInfo unmarshalKeyInfo = this.factory.getKeyInfoFactory().unmarshalKeyInfo(new DOMStructure(elementsByTagNameNS.item(0)));
        LinkedList<X509Certificate> linkedList = new LinkedList();
        PublicKey publicKey = null;
        for (Object obj : unmarshalKeyInfo.getContent()) {
            if (obj instanceof X509Data) {
                for (Object obj2 : ((X509Data) obj).getContent()) {
                    if (obj2 instanceof X509Certificate) {
                        linkedList.add((X509Certificate) obj2);
                    }
                }
            }
            if (obj instanceof KeyValue) {
                publicKey = ((KeyValue) obj).getPublicKey();
            }
        }
        if (publicKey == null) {
            throw new SignatureException("Signature/KeyInfo/KeyValue was not found...it is required for validation.");
        }
        if (linkedList.size() == 0) {
            return new PublicKey[]{publicKey, publicKey};
        }
        if (linkedList.size() == 1) {
            if (!isSelfSigned((X509Certificate) linkedList.get(0))) {
                throw new SignatureException("Only 1 cert is found and it is not self signed.");
            }
            if (isSameKey(publicKey, ((X509Certificate) linkedList.get(0)).getPublicKey())) {
                return new PublicKey[]{((X509Certificate) linkedList.get(0)).getPublicKey(), ((X509Certificate) linkedList.get(0)).getPublicKey()};
            }
            throw new SignatureException("The discovered cert public key does not match the key used for signing.");
        }
        X509Certificate x509Certificate = null;
        X509Certificate x509Certificate2 = null;
        for (X509Certificate x509Certificate3 : linkedList) {
            if (isSelfSigned(x509Certificate3)) {
                if (x509Certificate != null) {
                    throw new SignatureException("More than one self signed certificate was found.");
                }
                x509Certificate = x509Certificate3;
            } else if (isSameKey(publicKey, x509Certificate3.getPublicKey())) {
                x509Certificate2 = x509Certificate3;
            }
        }
        if (x509Certificate == null) {
            throw new SignatureException("Could not find a self signed certificate on the signature.");
        }
        if (x509Certificate2 == null) {
            throw new SignatureException("Could not find a certificate matching the key used to sign.");
        }
        linkedList.remove(x509Certificate);
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setCertificate(x509Certificate2);
        HashSet hashSet = new HashSet();
        hashSet.add(new TrustAnchor(x509Certificate, null));
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(hashSet, x509CertSelector);
        pKIXBuilderParameters.setRevocationEnabled(false);
        pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(linkedList), "BC"));
        return new PublicKey[]{x509Certificate.getPublicKey(), ((PKIXCertPathBuilderResult) CertPathBuilder.getInstance("PKIX", "BC").build(pKIXBuilderParameters)).getPublicKey()};
    }

    private boolean isSameKey(PublicKey publicKey, PublicKey publicKey2) {
        if (publicKey.getAlgorithm() != null && publicKey2.getAlgorithm() != null && !publicKey.getAlgorithm().equals(publicKey2.getAlgorithm())) {
            return false;
        }
        if ((publicKey.getFormat() != null && publicKey2.getFormat() != null && !publicKey.getFormat().equals(publicKey2.getFormat())) || publicKey.getEncoded().length != publicKey2.getEncoded().length) {
            return false;
        }
        int length = publicKey.getEncoded().length;
        for (int i = 0; i < length; i++) {
            if (publicKey.getEncoded()[i] != publicKey2.getEncoded()[i]) {
                return false;
            }
        }
        return true;
    }

    public static boolean isSelfSigned(X509Certificate x509Certificate) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException {
        try {
            x509Certificate.verify(x509Certificate.getPublicKey());
            return true;
        } catch (InvalidKeyException e) {
            return false;
        } catch (SignatureException e2) {
            return false;
        }
    }
}
