package org.astrogrid.security.wsse;

import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.rmi.RemoteException;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import javax.xml.namespace.QName;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.SOAPConstants;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSDocInfoStore;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.message.EnvelopeIdResolver;
import org.apache.ws.security.message.token.BinarySecurity;
import org.apache.ws.security.message.token.PKIPathSecurity;
import org.apache.ws.security.message.token.Reference;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.message.token.X509Security;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.xml.security.algorithms.SignatureAlgorithm;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.transforms.Transforms;
import org.apache.xml.security.utils.Constants;
import org.apache.xml.security.utils.XMLUtils;
import org.astrogrid.security.AxisServiceSecurityGuard;
import org.astrogrid.security.SecurityGuard;
import org.astrogrid.security.rfc3820.CertificateChainValidator;
import org.globus.gsi.TrustedCertificates;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* loaded from: input_file:org/astrogrid/security/wsse/WsseSignature.class */
public class WsseSignature {
    private Document message;
    private TrustedCertificates trustAnchors;
    private Element header;
    protected static final QName SIGNATURE = new QName("http://www.w3.org/2000/09/xmldsig#", "Signature");
    private static final Class[] constructorType = {WSSConfig.class, Element.class};
    private static Log log = LogFactory.getLog(WsseSignature.class.getName());
    protected String canonAlgo = "http://www.w3.org/2001/10/xml-exc-c14n#";
    private AxisServiceSecurityGuard authenticated = new AxisServiceSecurityGuard();
    protected WSSConfig wssConfig = WSSConfig.getDefaultWSConfig();
    protected QName binaryToken = new QName(this.wssConfig.getWsseNS(), WSConstants.BINARY_TOKEN_LN);

    public WsseSignature(Document document, TrustedCertificates trustedCertificates) {
        this.message = document;
        this.trustAnchors = trustedCertificates;
        this.header = WSSecurityUtil.getSecurityHeader(this.wssConfig, this.message, null, WSSecurityUtil.getSOAPConstants(this.message.getDocumentElement()));
    }

    public Document sign(SecurityGuard securityGuard) throws Exception {
        X509Certificate[] certificateChain = securityGuard.getCertificateChain();
        if (certificateChain.length == 0) {
            throw new Exception("The given credentials do not contain a certificate chain.");
        }
        PrivateKey privateKey = securityGuard.getPrivateKey();
        if (privateKey == null) {
            throw new Exception("There is no private key in the given credentials.");
        }
        XMLSignature createSigatureElement = createSigatureElement(getSignatureAlgorithm(certificateChain[0]));
        Reference reference = new Reference(this.wssConfig, this.message);
        String str = "CertId-" + certificateChain[0].hashCode();
        reference.setURI("#" + str);
        PKIPathSecurity pKIPathSecurity = new PKIPathSecurity(this.wssConfig, this.message);
        pKIPathSecurity.setX509Certificates(certificateChain, false, new Uther());
        pKIPathSecurity.setID(str);
        reference.setValueType(pKIPathSecurity.getValueType());
        SecurityTokenReference securityTokenReference = new SecurityTokenReference(this.wssConfig, this.message);
        securityTokenReference.setID("STRId-" + securityTokenReference.hashCode());
        securityTokenReference.setReference(reference);
        KeyInfo keyInfo = createSigatureElement.getKeyInfo();
        keyInfo.setId("KeyId-" + keyInfo.hashCode());
        keyInfo.addUnknownElement(securityTokenReference.getElement());
        createSigatureElement.sign(privateKey);
        Element insertSecurityHeader = insertSecurityHeader(this.message);
        WSSecurityUtil.prependChildElement(this.message, insertSecurityHeader, createSigatureElement.getElement(), false);
        WSSecurityUtil.prependChildElement(this.message, insertSecurityHeader, pKIPathSecurity.getElement(), false);
        log.debug("Signing complete.");
        return this.message;
    }

    public void verify() throws Exception {
        if (this.trustAnchors == null) {
            throw new Exception("Signatures cannot be checked because no trust-anchor certificates are loaded.");
        }
        if (this.header == null) {
            return;
        }
        log.debug("Checking the signature...");
        X509Certificate[] processSecurityHeader = processSecurityHeader(this.header);
        log.debug("Signature is valid.");
        log.debug("Checking the certificate chain...");
        new CertificateChainValidator(this.trustAnchors.getCertificates()).validate(processSecurityHeader);
        log.debug("Certificate chain is valid.");
        this.authenticated.setCertificateChain(processSecurityHeader);
        this.authenticated.setX500PrincipalFromCertificateChain();
    }

    public AxisServiceSecurityGuard getServiceGuard() {
        return this.authenticated;
    }

    protected XMLSignature createSigatureElement(SignatureAlgorithm signatureAlgorithm) throws Exception {
        Element createElementInSignatureSpace = XMLUtils.createElementInSignatureSpace(this.message, Constants._TAG_CANONICALIZATIONMETHOD);
        createElementInSignatureSpace.setAttributeNS(null, "Algorithm", this.canonAlgo);
        XMLSignature xMLSignature = new XMLSignature(this.message, (String) null, signatureAlgorithm.getElement(), createElementInSignatureSpace);
        xMLSignature.addResourceResolver(EnvelopeIdResolver.getInstance(this.wssConfig));
        SOAPConstants sOAPConstants = WSSecurityUtil.getSOAPConstants(this.message.getDocumentElement());
        Element element = (Element) WSSecurityUtil.findElement(this.message.getDocumentElement(), sOAPConstants.getBodyQName().getLocalPart(), sOAPConstants.getEnvelopeURI());
        if (element == null) {
            throw new Exception("The message cannot be signed because it has no SOAP body.");
        }
        Transforms transforms = new Transforms(this.message);
        transforms.addTransform("http://www.w3.org/2001/10/xml-exc-c14n#");
        xMLSignature.addDocument("#" + setWsuId(element), transforms);
        return xMLSignature;
    }

    protected SignatureAlgorithm getSignatureAlgorithm(X509Certificate x509Certificate) throws Exception {
        String str;
        String algorithm = x509Certificate.getPublicKey().getAlgorithm();
        log.debug("automatic sig algo detection: " + algorithm);
        if (algorithm.equalsIgnoreCase("DSA")) {
            str = "http://www.w3.org/2000/09/xmldsig#dsa-sha1";
        } else {
            if (!algorithm.equalsIgnoreCase("RSA")) {
                throw new Exception("The signature algorithm in the presented certificate  - " + algorithm + " - is not supported.");
            }
            str = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
        }
        return new SignatureAlgorithm(this.message, str);
    }

    protected X509Certificate[] processSecurityHeader(Element element) throws Exception {
        X509Certificate[] x509CertificateArr = null;
        NodeList childNodes = element.getChildNodes();
        int length = childNodes.getLength();
        for (int i = 0; i < length; i++) {
            Node item = childNodes.item(i);
            if (item.getNodeType() == 1) {
                Element element2 = (Element) item;
                if (new QName(element2.getNamespaceURI(), element2.getLocalName()).equals(SIGNATURE)) {
                    x509CertificateArr = processSignatureElement(element2);
                }
            }
        }
        return x509CertificateArr;
    }

    protected X509Certificate[] processSignatureElement(Element element) throws Exception {
        log.debug("Found signature element");
        XMLSignature xMLSignature = new XMLSignature(element, null);
        xMLSignature.addResourceResolver(new EnvelopeIdResolver(this.wssConfig, this.message));
        KeyInfo keyInfo = xMLSignature.getKeyInfo();
        if (keyInfo == null) {
            throw new Exception("The signature in the message does not include a reference to the key for checking the signature; this usage is not supported.");
        }
        X509Certificate[] credentialsFromMessage = getCredentialsFromMessage(keyInfo, element);
        if (xMLSignature.checkSignatureValue(credentialsFromMessage[0])) {
            return credentialsFromMessage;
        }
        throw new Exception("The signature is cryptographically invalid.");
    }

    protected X509Certificate[] getCredentialsFromMessage(KeyInfo keyInfo, Element element) throws Exception {
        X509Certificate[] keyIdentifier;
        Uther uther = new Uther();
        Node directChild = WSSecurityUtil.getDirectChild(keyInfo.getElement(), SecurityTokenReference.SECURITY_TOKEN_REFERENCE, this.wssConfig.getWsseNS());
        if (directChild == null) {
            throw new WSSecurityException(3, "unsupportedKeyInfo");
        }
        SecurityTokenReference securityTokenReference = new SecurityTokenReference(this.wssConfig, (Element) directChild);
        WSDocInfo lookup = WSDocInfoStore.lookup(element.getOwnerDocument().hashCode());
        if (securityTokenReference.containsReference()) {
            Element tokenElement = securityTokenReference.getTokenElement(element.getOwnerDocument(), lookup);
            if (!tokenElement.getLocalName().equals(this.binaryToken.getLocalPart())) {
                throw new Exception("The signature refers to a token of type {" + tokenElement.getNamespaceURI() + "}" + tokenElement.getLocalName() + " which is not supported.");
            }
            keyIdentifier = getCertificatesTokenReference(tokenElement, uther);
        } else if (securityTokenReference.containsX509IssuerSerial()) {
            keyIdentifier = securityTokenReference.getX509IssuerSerial(uther);
        } else {
            if (!securityTokenReference.containsKeyIdentifier()) {
                throw new WSSecurityException(3, "unsupportedKeyInfo", new Object[]{directChild.toString()});
            }
            keyIdentifier = securityTokenReference.getKeyIdentifier(uther);
        }
        if (keyIdentifier == null || keyIdentifier.length == 0 || keyIdentifier[0] == null) {
            throw new Exception("No certificates were found in the message header.");
        }
        return keyIdentifier;
    }

    protected X509Certificate[] getCertificatesTokenReference(Element element, Crypto crypto) throws WSSecurityException {
        BinarySecurity createSecurityToken = createSecurityToken(element);
        if (createSecurityToken instanceof PKIPathSecurity) {
            return ((PKIPathSecurity) createSecurityToken).getX509Certificates(false, crypto);
        }
        if (createSecurityToken instanceof X509Security) {
            return new X509Certificate[]{((X509Security) createSecurityToken).getX509Certificate(crypto)};
        }
        throw new WSSecurityException(1, "unhandledToken", new Object[]{createSecurityToken.getClass().getName()});
    }

    private BinarySecurity createSecurityToken(Element element) throws WSSecurityException {
        String valueType = new BinarySecurity(this.wssConfig, element).getValueType();
        Class cls = null;
        if (this.wssConfig.getProcessNonCompliantMessages() || this.wssConfig.isBSTValuesPrefixed()) {
            if (valueType.endsWith(X509Security.X509_V3)) {
                cls = X509Security.class;
            } else if (valueType.endsWith(PKIPathSecurity.X509PKI_PATH)) {
                cls = PKIPathSecurity.class;
            }
        } else if (valueType.equals(X509Security.getType(this.wssConfig))) {
            cls = X509Security.class;
        } else if (valueType.equals(PKIPathSecurity.getType(this.wssConfig))) {
            cls = PKIPathSecurity.class;
        }
        if (cls == null) {
            throw new WSSecurityException(1, "unsupportedBinaryTokenType", new Object[]{valueType});
        }
        try {
            Constructor constructor = cls.getConstructor(constructorType);
            if (constructor == null) {
                throw new WSSecurityException(0, "invalidConstructor", new Object[]{cls});
            }
            return (BinarySecurity) constructor.newInstance(this.wssConfig, element);
        } catch (IllegalAccessException e) {
            throw new WSSecurityException(0, null, null, e);
        } catch (InstantiationException e2) {
            throw new WSSecurityException(0, null, null, e2);
        } catch (NoSuchMethodException e3) {
            throw new WSSecurityException(0, null, null, e3);
        } catch (InvocationTargetException e4) {
            RemoteException targetException = e4.getTargetException();
            if (targetException instanceof WSSecurityException) {
                throw ((WSSecurityException) targetException);
            }
            throw new WSSecurityException(0, null, null, e4);
        }
    }

    protected Element insertSecurityHeader(Document document) {
        Element securityHeader = WSSecurityUtil.getSecurityHeader(this.wssConfig, document, null, WSSecurityUtil.getSOAPConstants(document.getDocumentElement()));
        if (securityHeader == null) {
            securityHeader = WSSecurityUtil.findWsseSecurityHeaderBlock(this.wssConfig, document, document.getDocumentElement(), null, true);
        }
        return securityHeader;
    }

    protected String setWsuId(Element element) {
        String str = null;
        if (this.wssConfig.getProcessNonCompliantMessages()) {
            str = WSSecurityUtil.getAttributeValueWSU(element, "Id", null);
        }
        if (!this.wssConfig.getProcessNonCompliantMessages() && this.wssConfig.isTargetIdQualified()) {
            str = element.getAttributeNS(this.wssConfig.getWsuNS(), "Id");
        } else if (str == null || str.length() == 0) {
            str = element.getAttribute("Id");
        }
        if (str == null || str.length() == 0) {
            str = "id-" + Integer.toString(element.hashCode());
            if (this.wssConfig.isTargetIdQualified()) {
                element.setAttributeNS(this.wssConfig.getWsuNS(), WSSecurityUtil.setNamespace(element, this.wssConfig.getWsuNS(), WSConstants.WSU_PREFIX) + ":Id", str);
            } else {
                element.setAttributeNS(null, "Id", str);
            }
        }
        return str;
    }
}
