package com.helger.peppol.httpclient;

import com.helger.commons.ValueEnforcer;
import com.helger.commons.collection.ArrayHelper;
import com.helger.commons.io.stream.NonBlockingByteArrayInputStream;
import com.helger.commons.io.stream.StreamHelper;
import com.helger.commons.xml.serialize.read.DOMReader;
import com.helger.jaxb.AbstractJAXBMarshaller;
import com.helger.peppol.smpclient.SMPClientConfiguration;
import com.helger.peppol.utils.KeyStoreHelper;
import java.io.IOException;
import java.io.InputStream;
import java.security.Key;
import java.security.PublicKey;
import java.security.cert.CertPathValidator;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Iterator;
import javassist.bytecode.SignatureAttribute;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.annotation.WillClose;
import javax.xml.crypto.AlgorithmMethod;
import javax.xml.crypto.KeySelector;
import javax.xml.crypto.KeySelectorException;
import javax.xml.crypto.KeySelectorResult;
import javax.xml.crypto.XMLCryptoContext;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.X509Data;
import org.apache.http.HttpEntity;
import org.apache.http.client.ClientProtocolException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.NodeList;

/* loaded from: input_file:WEB-INF/lib/peppol-smp-client-4.3.5.jar:com/helger/peppol/httpclient/SMPHttpResponseHandlerSigned.class */
public final class SMPHttpResponseHandlerSigned<T> extends AbstractSMPResponseHandler<T> {
    private static final Logger s_aLogger = LoggerFactory.getLogger((Class<?>) SMPHttpResponseHandlerSigned.class);
    private final AbstractJAXBMarshaller<T> m_aMarshaller;

    /* loaded from: input_file:WEB-INF/lib/peppol-smp-client-4.3.5.jar:com/helger/peppol/httpclient/SMPHttpResponseHandlerSigned$ConstantKeySelectorResult.class */
    private static final class ConstantKeySelectorResult implements KeySelectorResult {
        private final Key m_aKey;

        public ConstantKeySelectorResult(@Nullable Key key) {
            this.m_aKey = key;
        }

        @Nullable
        public Key getKey() {
            return this.m_aKey;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/peppol-smp-client-4.3.5.jar:com/helger/peppol/httpclient/SMPHttpResponseHandlerSigned$X509KeySelector.class */
    public static final class X509KeySelector extends KeySelector {
        private final String m_sTrustoreLocation = SMPClientConfiguration.getTruststoreLocation();
        private final String m_sTrustStorePassword = SMPClientConfiguration.getTruststorePassword();

        public static boolean algorithmEquals(@Nonnull String str, @Nonnull String str2) {
            return (str2.equalsIgnoreCase("DSA") && str.equalsIgnoreCase("http://www.w3.org/2000/09/xmldsig#dsa-sha1")) || (str2.equalsIgnoreCase("RSA") && str.equalsIgnoreCase("http://www.w3.org/2000/09/xmldsig#rsa-sha1"));
        }

        public KeySelectorResult select(@Nonnull KeyInfo keyInfo, KeySelector.Purpose purpose, @Nonnull AlgorithmMethod algorithmMethod, XMLCryptoContext xMLCryptoContext) throws KeySelectorException {
            for (X509Data x509Data : keyInfo.getContent()) {
                if (x509Data instanceof X509Data) {
                    for (Object obj : x509Data.getContent()) {
                        if (obj instanceof X509Certificate) {
                            X509Certificate x509Certificate = (X509Certificate) obj;
                            try {
                                x509Certificate.checkValidity();
                                X509Certificate[] x509CertificateArr = {x509Certificate};
                                PKIXParameters pKIXParameters = new PKIXParameters(KeyStoreHelper.loadKeyStore(this.m_sTrustoreLocation, this.m_sTrustStorePassword));
                                pKIXParameters.setRevocationEnabled(false);
                                CertPathValidator.getInstance("PKIX").validate(CertificateFactory.getInstance("X509").generateCertPath(Arrays.asList(x509CertificateArr)), pKIXParameters);
                                PublicKey publicKey = x509Certificate.getPublicKey();
                                if (algorithmEquals(algorithmMethod.getAlgorithm(), publicKey.getAlgorithm())) {
                                    return new ConstantKeySelectorResult(publicKey);
                                }
                            } catch (Throwable th) {
                                throw new KeySelectorException("Failed to select public key", th);
                            }
                        }
                    }
                }
            }
            throw new KeySelectorException("No public key found!");
        }
    }

    public SMPHttpResponseHandlerSigned(@Nonnull AbstractJAXBMarshaller<T> abstractJAXBMarshaller) {
        this.m_aMarshaller = (AbstractJAXBMarshaller) ValueEnforcer.notNull(abstractJAXBMarshaller, "Marshaller");
    }

    private static boolean _checkSignature(@Nonnull @WillClose InputStream inputStream) throws Exception {
        try {
            NodeList elementsByTagNameNS = DOMReader.readXMLDOM(inputStream).getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", SignatureAttribute.tag);
            if (elementsByTagNameNS == null || elementsByTagNameNS.getLength() == 0) {
                throw new IllegalArgumentException("Element <Signature> not found in SMP XML response");
            }
            DOMValidateContext dOMValidateContext = new DOMValidateContext(new X509KeySelector(), elementsByTagNameNS.item(0));
            XMLSignature unmarshalXMLSignature = XMLSignatureFactory.getInstance("DOM").unmarshalXMLSignature(dOMValidateContext);
            boolean validate = unmarshalXMLSignature.validate(dOMValidateContext);
            if (!validate) {
                s_aLogger.info("Signature failed core validation");
                boolean validate2 = unmarshalXMLSignature.getSignatureValue().validate(dOMValidateContext);
                s_aLogger.info("  Signature value valid: " + validate2);
                if (!validate2) {
                    int i = 0;
                    Iterator it = unmarshalXMLSignature.getSignedInfo().getReferences().iterator();
                    while (it.hasNext()) {
                        s_aLogger.info("  Reference[" + i + "] validity status: " + (((Reference) it.next()).validate(dOMValidateContext) ? "valid" : "NOT valid!"));
                        i++;
                    }
                }
            }
            return validate;
        } finally {
            StreamHelper.close(inputStream);
        }
    }

    @Override // com.helger.peppol.httpclient.AbstractSMPResponseHandler
    @Nonnull
    public T handleEntity(@Nonnull HttpEntity httpEntity) throws IOException {
        byte[] allBytes = StreamHelper.getAllBytes(httpEntity.getContent());
        if (ArrayHelper.isEmpty(allBytes)) {
            throw new ClientProtocolException("Could not read SMP server response content");
        }
        try {
            if (!_checkSignature(new NonBlockingByteArrayInputStream(allBytes))) {
                throw new ClientProtocolException("Signature returned from SMP server was not valid");
            }
            T read = this.m_aMarshaller.read(allBytes);
            if (read == null) {
                throw new ClientProtocolException("Malformed XML document returned from SMP server");
            }
            return read;
        } catch (Exception e) {
            throw new ClientProtocolException("Error in validating signature returned from SMP server", e);
        }
    }

    @Nonnull
    public static <U> SMPHttpResponseHandlerSigned<U> create(@Nonnull AbstractJAXBMarshaller<U> abstractJAXBMarshaller) {
        return new SMPHttpResponseHandlerSigned<>(abstractJAXBMarshaller);
    }
}
