package at.gv.egovernment.moa.sig.tsl.engine.verify;

import at.gv.egovernment.moa.sig.tsl.TslConstants;
import at.gv.egovernment.moa.sig.tsl.exception.TSLSecurityException;
import at.gv.egovernment.moa.sig.tsl.exception.TslVerificationException;
import iaik.server.modules.xml.MOAXSecProvider;
import iaik.xml.crypto.utils.URIDereferencerImpl;
import jakarta.xml.bind.JAXBElement;
import jakarta.xml.bind.JAXBIntrospector;
import java.io.IOException;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.ListIterator;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.NodeSetData;
import javax.xml.crypto.URIReferenceException;
import javax.xml.crypto.dom.DOMCryptoContext;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.Transform;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureException;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import org.etsi.uri._02231.v2_.TrustStatusListType;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3._2000._09.xmldsig_.ObjectFactory;
import org.w3._2000._09.xmldsig_.SignatureType;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* loaded from: input_file:at/gv/egovernment/moa/sig/tsl/engine/verify/TSLVerifier.class */
public class TSLVerifier {
    private static final Logger log = LoggerFactory.getLogger(TSLVerifier.class);
    private static ObjectFactory dsOf = new ObjectFactory();
    private static JAXBIntrospector JI = TslConstants.JAXBCONTEXT.createJAXBIntrospector();

    public static Boolean verifyTSL(Document document, ListIterator<X509Certificate> listIterator) {
        JAXBElement<SignatureType> createSignature;
        JAXBElement<TrustStatusListType> createTrustServiceStatusList;
        Element documentElement;
        boolean z = false;
        try {
            createSignature = dsOf.createSignature(new SignatureType());
            createTrustServiceStatusList = TslConstants.TSL_OF.createTrustServiceStatusList(new TrustStatusListType());
            documentElement = document.getDocumentElement();
        } catch (URIReferenceException | MarshalException | TSLSecurityException e) {
            log.warn("TSL verification warning: Msg: " + e.getMessage(), e);
        } catch (TslVerificationException e2) {
            log.warn("TSL verification error: Msg: " + e2.getMessage(), e2);
        } catch (XMLSignatureException e3) {
            log.error("TSL verification error! Msg: Signature failed core validation", new TSLSecurityException(TSLSecurityException.Type.ERRORS_IN_TSL_SIGNATURE));
            z = false;
            e3.printStackTrace();
        }
        if (documentElement == null) {
            throw new TslVerificationException("TSL verfification error! Msg: Empty XML file");
        }
        if (!documentElement.getNamespaceURI().equals(JI.getElementName(createTrustServiceStatusList).getNamespaceURI())) {
            throw new TslVerificationException("TSL verfification error! Msg: Incorrect Namespace");
        }
        if (!documentElement.getLocalName().equals(JI.getElementName(createTrustServiceStatusList).getLocalPart())) {
            throw new TslVerificationException("TSL verfification error! Msg: Wrong Document Element in document " + document.getDocumentURI());
        }
        Node lastChild = documentElement.getLastChild();
        while (lastChild != null && !(lastChild instanceof Element)) {
            lastChild = lastChild.getPreviousSibling();
        }
        Element element = (Element) lastChild;
        if (element == null || !element.getNamespaceURI().equals(JI.getElementName(createSignature).getNamespaceURI()) || !element.getLocalName().equals(JI.getElementName(createSignature).getLocalPart())) {
            throw new TslVerificationException("TSL verfification error! Msg: No enveloped signature found");
        }
        NodeList childNodes = documentElement.getChildNodes();
        for (int i = 0; i < childNodes.getLength(); i++) {
            childNodes.item(i);
        }
        boolean z2 = false;
        try {
            Class.forName("at.gv.egovernment.moa.spss.server.init.SystemInitializer");
        } catch (ClassNotFoundException e4) {
            z2 = true;
        }
        DOMValidateContext dOMValidateContext = z2 ? new DOMValidateContext(new TslKeySelector(listIterator), element) : new DOMValidateContext(new MOATslKeySelector(listIterator), element);
        if (dOMValidateContext.getURIDereferencer() == null) {
            dOMValidateContext.setURIDereferencer(new URIDereferencerImpl());
        }
        dOMValidateContext.setProperty("javax.xml.crypto.dsig.cacheReference", Boolean.TRUE);
        XMLSignature unmarshalXMLSignature = (z2 ? XMLSignatureFactory.getInstance("DOM") : MOAXSecProvider.getXMLSignatureFactory()).unmarshalXMLSignature(dOMValidateContext);
        z = unmarshalXMLSignature.validate(dOMValidateContext);
        if (!z) {
            debug(dOMValidateContext, "Signature failed core validation");
            debug(dOMValidateContext, "signature validation status: " + unmarshalXMLSignature.getSignatureValue().validate(dOMValidateContext));
            Iterator it = unmarshalXMLSignature.getSignedInfo().getReferences().iterator();
            int i2 = 0;
            while (it.hasNext()) {
                debug(dOMValidateContext, "ref[" + i2 + "] validity status: " + ((Reference) it.next()).validate(dOMValidateContext));
                i2++;
            }
            throw new TslVerificationException("TSL verfification error! Msg: Signature failed core validation");
        }
        SignedInfo signedInfo = unmarshalXMLSignature.getSignedInfo();
        boolean z3 = false;
        for (Reference reference : signedInfo.getReferences()) {
            NodeSetData dereference = dOMValidateContext.getURIDereferencer().dereference(reference, dOMValidateContext);
            if (dereference instanceof NodeSetData) {
                if (dereference.iterator().next() == documentElement) {
                    if (reference.getTransforms().size() != 2) {
                        throw new TSLSecurityException(TSLSecurityException.Type.NON_CONFORMANT_TRANSFORMS_IN_TSL_SIGNATURE);
                    }
                    Transform[] transformArr = (Transform[]) reference.getTransforms().toArray(new Transform[2]);
                    if (!transformArr[0].getAlgorithm().equals("http://www.w3.org/2000/09/xmldsig#enveloped-signature")) {
                        throw new TSLSecurityException(TSLSecurityException.Type.NON_CONFORMANT_TRANSFORM_IN_TSL_SIGNATURE);
                    }
                    if (!transformArr[1].getAlgorithm().equals("http://www.w3.org/2001/10/xml-exc-c14n#")) {
                        throw new TSLSecurityException(TSLSecurityException.Type.NON_CONFORMANT_C14N_IN_TSL_SIGNATURE);
                    }
                    z3 = true;
                }
            }
        }
        if (!z3) {
            throw new TSLSecurityException(TSLSecurityException.Type.NON_CONFORMANT_REFERENCE_IN_TSL_SIGNATURE);
        }
        if (signedInfo.getCanonicalizationMethod().getAlgorithm().equals("http://www.w3.org/2001/10/xml-exc-c14n#")) {
            return Boolean.valueOf(z);
        }
        throw new TSLSecurityException(TSLSecurityException.Type.NON_CONFORMANT_C14N_IN_CANONICALIZATION_METHOD);
    }

    public static void debug(DOMCryptoContext dOMCryptoContext, String str) {
        Object property = dOMCryptoContext.getProperty("iaik.xml.crypto.debug.OutputStream");
        if (property == null) {
            return;
        }
        if (!(property instanceof OutputStream)) {
            System.err.println("Failed to write to debug output stream. DOMCryptoContext's Property (\"iaik.xml.crypto.debug.OutputStream\") has to be of type OutputStream.");
            return;
        }
        try {
            new OutputStreamWriter((OutputStream) property).write(str);
        } catch (IOException e) {
            System.err.println("Failed to write to debug output stream. " + e.getMessage());
        }
    }
}
