package se.idsec.sigval.xml.verify.impl;

import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CertPathBuilderException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.stream.Collectors;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.apache.xml.security.c14n.Canonicalizer;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.signature.XMLSignatureException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import se.idsec.signservice.security.certificate.CertificateValidationResult;
import se.idsec.signservice.security.certificate.CertificateValidator;
import se.idsec.signservice.security.certificate.impl.DefaultCertificateValidationResult;
import se.idsec.signservice.security.sign.SignatureValidationResult;
import se.idsec.sigval.cert.chain.ExtendedCertPathValidatorException;
import se.idsec.sigval.commons.algorithms.JWSAlgorithmRegistry;
import se.idsec.sigval.commons.data.PolicyValidationResult;
import se.idsec.sigval.commons.data.TimeValidationResult;
import se.idsec.sigval.commons.timestamp.TimeStamp;
import se.idsec.sigval.commons.timestamp.TimeStampPolicyVerifier;
import se.idsec.sigval.commons.utils.GeneralCMSUtils;
import se.idsec.sigval.commons.utils.SVAUtils;
import se.idsec.sigval.svt.claims.PolicyValidationClaims;
import se.idsec.sigval.svt.claims.SignatureClaims;
import se.idsec.sigval.svt.claims.TimeValidationClaims;
import se.idsec.sigval.svt.claims.ValidationConclusion;
import se.idsec.sigval.svt.validation.SignatureSVTValidationResult;
import se.idsec.sigval.xml.data.ExtendedXmlSigvalResult;
import se.idsec.sigval.xml.policy.XMLSignaturePolicyValidator;
import se.idsec.sigval.xml.svt.XMLSVTValidator;
import se.idsec.sigval.xml.svt.XMLSigValInput;
import se.idsec.sigval.xml.verify.XMLSignatureElementValidator;
import se.idsec.sigval.xml.xmlstruct.SignatureData;
import se.idsec.sigval.xml.xmlstruct.XAdESObjectParser;
import se.idsec.sigval.xml.xmlstruct.XMLSigConstants;
import se.idsec.sigval.xml.xmlstruct.XadesSignatureTimestampData;

/* loaded from: input_file:se/idsec/sigval/xml/verify/impl/XMLSignatureElementValidatorImpl.class */
public class XMLSignatureElementValidatorImpl implements XMLSignatureElementValidator, XMLSigConstants {
    private static final Logger log = LoggerFactory.getLogger(XMLSignatureElementValidatorImpl.class);
    private final CertificateValidator certificateValidator;
    private final TimeStampPolicyVerifier timeStampPolicyVerifier;
    private final XMLSignaturePolicyValidator signaturePolicyValidator;
    private final XMLSVTValidator xmlsvtValidator;

    public XMLSignatureElementValidatorImpl(CertificateValidator certificateValidator, XMLSignaturePolicyValidator xMLSignaturePolicyValidator, TimeStampPolicyVerifier timeStampPolicyVerifier) {
        this.certificateValidator = certificateValidator;
        this.signaturePolicyValidator = xMLSignaturePolicyValidator;
        this.timeStampPolicyVerifier = timeStampPolicyVerifier;
        this.xmlsvtValidator = null;
    }

    public XMLSignatureElementValidatorImpl(CertificateValidator certificateValidator, XMLSignaturePolicyValidator xMLSignaturePolicyValidator, TimeStampPolicyVerifier timeStampPolicyVerifier, XMLSVTValidator xMLSVTValidator) {
        this.certificateValidator = certificateValidator;
        this.signaturePolicyValidator = xMLSignaturePolicyValidator;
        this.timeStampPolicyVerifier = timeStampPolicyVerifier;
        this.xmlsvtValidator = xMLSVTValidator;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v61, types: [java.util.List] */
    @Override // se.idsec.sigval.xml.verify.XMLSignatureElementValidator
    public ExtendedXmlSigvalResult validateSignature(Element element, SignatureData signatureData) {
        SignatureSVTValidationResult signatureSVTValidationResult;
        ExtendedXmlSigvalResult extendedXmlSigvalResult = new ExtendedXmlSigvalResult();
        try {
            List validate = this.xmlsvtValidator == null ? null : this.xmlsvtValidator.validate(XMLSigValInput.builder().signatureElement(element).signatureData(signatureData).build());
            signatureSVTValidationResult = (validate == null || validate.isEmpty()) ? null : (SignatureSVTValidationResult) validate.get(0);
        } catch (Exception e) {
            log.error("Failed to parse signature {}", e.getMessage());
            extendedXmlSigvalResult.setError(SignatureValidationResult.Status.ERROR_INVALID_SIGNATURE, "Failed to parse signature data", e);
        }
        if (signatureSVTValidationResult != null) {
            return compileXMLSigValResultsFromSvtValidation(signatureSVTValidationResult, element, signatureData);
        }
        extendedXmlSigvalResult = validateSignatureElement(element, signatureData);
        if (extendedXmlSigvalResult.isSuccess() && this.certificateValidator != null) {
            try {
                extendedXmlSigvalResult.setCertificateValidationResult(this.certificateValidator.validate(extendedXmlSigvalResult.getSignerCertificate(), extendedXmlSigvalResult.getSignatureCertificateChain(), (List) null));
            } catch (Exception e2) {
                if (e2 instanceof ExtendedCertPathValidatorException) {
                    ExtendedCertPathValidatorException extendedCertPathValidatorException = e2;
                    extendedXmlSigvalResult.setCertificateValidationResult(extendedCertPathValidatorException.getPathValidationResult());
                    List validatedCertificatePath = extendedCertPathValidatorException.getPathValidationResult().getValidatedCertificatePath();
                    if (validatedCertificatePath == null || validatedCertificatePath.isEmpty()) {
                        log.debug("Failed to build certificates to a trusted path");
                        extendedXmlSigvalResult.setError(SignatureValidationResult.Status.ERROR_NOT_TRUSTED, extendedCertPathValidatorException.getMessage(), e2);
                    }
                } else if (e2 instanceof CertPathBuilderException) {
                    String format = String.format("Failed to build a path to a trusted root for signer certificate - %s", e2.getMessage());
                    log.error("{}", e2.getMessage());
                    extendedXmlSigvalResult.setError(SignatureValidationResult.Status.ERROR_NOT_TRUSTED, format, e2);
                } else {
                    String format2 = String.format("Certificate path validation failure for signer certificate - %s", e2.getMessage());
                    log.error("{}", e2.getMessage(), e2);
                    extendedXmlSigvalResult.setError(SignatureValidationResult.Status.ERROR_SIGNER_INVALID, format2, e2);
                }
            }
        }
        XAdESObjectParser xAdESObjectParser = new XAdESObjectParser(element, signatureData);
        extendedXmlSigvalResult.setSignedDocument(signatureData.getSignedDocument());
        extendedXmlSigvalResult.setCoversDocument(signatureData.isCoversWholeDoc());
        extendedXmlSigvalResult.setEtsiAdes(xAdESObjectParser.getQualifyingProperties() != null);
        extendedXmlSigvalResult.setInvalidSignCert(!xAdESObjectParser.isXadesVerified(extendedXmlSigvalResult.getSignerCertificate()));
        extendedXmlSigvalResult.setClaimedSigningTime(xAdESObjectParser.getClaimedSigningTime());
        if (extendedXmlSigvalResult.isEtsiAdes() && extendedXmlSigvalResult.isInvalidSignCert()) {
            log.debug("Signature is XAdES signature, but signature certificate does not match signed certificate digest");
            extendedXmlSigvalResult.setError(SignatureValidationResult.Status.ERROR_SIGNER_INVALID, "Signature is XAdES signature, but signature certificate does not match signed certificate digest", new CertPathBuilderException("Signature is XAdES signature, but signature certificate does not match signed certificate digest"));
        }
        ArrayList arrayList = new ArrayList();
        List<XadesSignatureTimestampData> signatureTimeStampDataList = xAdESObjectParser.getSignatureTimeStampDataList();
        if (signatureTimeStampDataList != null && !signatureTimeStampDataList.isEmpty()) {
            arrayList = (List) signatureTimeStampDataList.stream().map(xadesSignatureTimestampData -> {
                try {
                    return new TimeStamp(xadesSignatureTimestampData.getTimeStampSignatureBytes(), getTimestampedBytes(element, xadesSignatureTimestampData.getCanonicalizationMethod()), this.timeStampPolicyVerifier);
                } catch (Exception e3) {
                    return null;
                }
            }).filter(timeStamp -> {
                return timeStamp != null;
            }).filter(timeStamp2 -> {
                return timeStamp2.getTstInfo() != null;
            }).collect(Collectors.toList());
        }
        extendedXmlSigvalResult.setTimeValidationResults((List) arrayList.stream().map(timeStamp3 -> {
            return getTimeValidationResult(timeStamp3);
        }).filter(timeValidationResult -> {
            return timeValidationResult != null;
        }).collect(Collectors.toList()));
        PolicyValidationResult validatePolicy = this.signaturePolicyValidator.validatePolicy(extendedXmlSigvalResult);
        PolicyValidationClaims policyValidationClaims = validatePolicy.getPolicyValidationClaims();
        if (!policyValidationClaims.getRes().equals(ValidationConclusion.PASSED)) {
            extendedXmlSigvalResult.setStatus(validatePolicy.getStatus());
            extendedXmlSigvalResult.setStatusMessage(policyValidationClaims.getMsg());
            extendedXmlSigvalResult.setException(new SignatureException(policyValidationClaims.getMsg()));
        }
        extendedXmlSigvalResult.setValidationPolicyResultList(Arrays.asList(policyValidationClaims));
        return extendedXmlSigvalResult;
    }

    private byte[] getTimestampedBytes(Element element, String str) {
        try {
            Node item = element.getElementsByTagNameNS(XMLSigConstants.XMLDSIG_NS, "SignatureValue").item(0);
            Transformer newTransformer = TransformerFactory.newInstance().newTransformer();
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            newTransformer.transform(new DOMSource(item), new StreamResult(byteArrayOutputStream));
            return Canonicalizer.getInstance(str).canonicalize(byteArrayOutputStream.toByteArray());
        } catch (Exception e) {
            log.debug("Failed to parse signature value element using time stamp canonicalization algorithm", e);
            return null;
        }
    }

    @Override // se.idsec.sigval.xml.verify.XMLSignatureElementValidator
    public CertificateValidator getCertificateValidator() {
        return this.certificateValidator;
    }

    public ExtendedXmlSigvalResult validateSignatureElement(Element element, SignatureData signatureData) {
        PublicKey publicKey;
        ExtendedXmlSigvalResult extendedXmlSigvalResult = new ExtendedXmlSigvalResult();
        extendedXmlSigvalResult.setSignatureElement(element);
        try {
            XMLSignature xMLSignature = new XMLSignature(element, "");
            X509Certificate signerCertificate = signatureData.getSignerCertificate();
            if (signerCertificate == null) {
                log.warn("No signing certificate found in signature");
                publicKey = xMLSignature.getKeyInfo().getPublicKey();
            } else {
                extendedXmlSigvalResult.setSignerCertificate(signerCertificate);
                extendedXmlSigvalResult.setSignatureCertificateChain(signatureData.getSignatureCertChain());
                publicKey = signerCertificate.getPublicKey();
            }
            if (publicKey == null) {
                log.info("No certificate or public key found in signature's KeyInfo");
                extendedXmlSigvalResult.setError(SignatureValidationResult.Status.ERROR_BAD_FORMAT, "No certificate or public key found in signature's KeyInfo");
                return extendedXmlSigvalResult;
            }
            try {
                extendedXmlSigvalResult.setPubKeyParams(GeneralCMSUtils.getPkParams(publicKey));
                extendedXmlSigvalResult.setSignatureAlgorithm(xMLSignature.getSignedInfo().getSignatureMethodURI());
                if (!xMLSignature.checkSignatureValue(publicKey)) {
                    log.info("{}", "Signature is invalid - signature value did not validate correctly or reference digest comparison failed");
                    extendedXmlSigvalResult.setError(SignatureValidationResult.Status.ERROR_INVALID_SIGNATURE, "Signature is invalid - signature value did not validate correctly or reference digest comparison failed");
                    return extendedXmlSigvalResult;
                }
                log.debug("Signature value was successfully validated");
                if (extendedXmlSigvalResult.getSignerCertificate() != null) {
                    extendedXmlSigvalResult.setStatus(SignatureValidationResult.Status.SUCCESS);
                    return extendedXmlSigvalResult;
                }
                log.info("Signature validation failed - {}", "No signer certificate provided with signature");
                extendedXmlSigvalResult.setError(SignatureValidationResult.Status.ERROR_SIGNER_NOT_ACCEPTED, "No signer certificate provided with signature");
                return extendedXmlSigvalResult;
            } catch (XMLSignatureException | IOException e) {
                String str = "Signature is invalid - " + e.getMessage();
                log.info("{}", str, e);
                extendedXmlSigvalResult.setError(SignatureValidationResult.Status.ERROR_INVALID_SIGNATURE, str, e);
                return extendedXmlSigvalResult;
            }
        } catch (Exception e2) {
            extendedXmlSigvalResult.setError(SignatureValidationResult.Status.ERROR_BAD_FORMAT, e2.getMessage(), e2);
            return extendedXmlSigvalResult;
        }
    }

    private TimeValidationResult getTimeValidationResult(TimeStamp timeStamp) {
        TimeValidationClaims verifiedTimeFromTimeStamp = getVerifiedTimeFromTimeStamp(timeStamp, "http://id.swedenconnect.se/svt/timeval-type/sig-timestamp/01");
        if (verifiedTimeFromTimeStamp != null) {
            return new TimeValidationResult(verifiedTimeFromTimeStamp, timeStamp.getCertificateValidationResult(), timeStamp);
        }
        return null;
    }

    private TimeValidationClaims getVerifiedTimeFromTimeStamp(TimeStamp timeStamp, String str) {
        try {
            return TimeValidationClaims.builder().id(timeStamp.getTstInfo().getSerialNumber().getValue().toString(16)).iss(timeStamp.getSigCert().getSubjectX500Principal().toString()).time(timeStamp.getTstInfo().getGenTime().getDate().getTime() / 1000).type(str).val(timeStamp.getPolicyValidationClaimsList()).build();
        } catch (Exception e) {
            log.error("Error collecting time validation claims data: {}", e.getMessage());
            return null;
        }
    }

    private ExtendedXmlSigvalResult compileXMLSigValResultsFromSvtValidation(SignatureSVTValidationResult signatureSVTValidationResult, Element element, SignatureData signatureData) {
        ExtendedXmlSigvalResult extendedXmlSigvalResult = new ExtendedXmlSigvalResult();
        extendedXmlSigvalResult.setSignatureElement(element);
        try {
            XAdESObjectParser xAdESObjectParser = new XAdESObjectParser(element, signatureData);
            extendedXmlSigvalResult.setSignedDocument(signatureData.getSignedDocument());
            extendedXmlSigvalResult.setCoversDocument(signatureData.isCoversWholeDoc());
            extendedXmlSigvalResult.setEtsiAdes(xAdESObjectParser.getQualifyingProperties() != null);
            extendedXmlSigvalResult.setInvalidSignCert(!xAdESObjectParser.isXadesVerified(extendedXmlSigvalResult.getSignerCertificate()));
            extendedXmlSigvalResult.setClaimedSigningTime(xAdESObjectParser.getClaimedSigningTime());
            extendedXmlSigvalResult.setSignedDocument(signatureData.getSignedDocument());
            SignedJWT signedJWT = signatureSVTValidationResult.getSignedJWT();
            extendedXmlSigvalResult.setSignatureAlgorithm(JWSAlgorithmRegistry.getUri(signedJWT.getHeader().getAlgorithm()));
            extendedXmlSigvalResult.setPubKeyParams(GeneralCMSUtils.getPkParams(SVAUtils.getCertificate(signatureSVTValidationResult.getSignerCertificate()).getPublicKey()));
            extendedXmlSigvalResult.setSvtJWT(signedJWT);
            extendedXmlSigvalResult.setSignerCertificate(signatureData.getSignerCertificate());
            extendedXmlSigvalResult.setSignatureCertificateChain(signatureData.getSignatureCertChain());
            extendedXmlSigvalResult.setCertificateValidationResult(new DefaultCertificateValidationResult(SVAUtils.getOrderedCertList(signatureSVTValidationResult.getSignerCertificate(), signatureSVTValidationResult.getCertificateChain())));
            SignatureClaims signatureClaims = signatureSVTValidationResult.getSignatureClaims();
            if (signatureSVTValidationResult.isSvtValidationSuccess()) {
                extendedXmlSigvalResult.setStatus(SignatureValidationResult.Status.SUCCESS);
            } else {
                extendedXmlSigvalResult.setStatus(SignatureValidationResult.Status.ERROR_INVALID_SIGNATURE);
                extendedXmlSigvalResult.setStatusMessage("Unable to verify SVT signature");
            }
            extendedXmlSigvalResult.setSignatureClaims(signatureClaims);
            extendedXmlSigvalResult.setValidationPolicyResultList(signatureClaims.getSig_val());
            JWTClaimsSet jWTClaimsSet = signedJWT.getJWTClaimsSet();
            List time_val = signatureClaims.getTime_val();
            time_val.add(TimeValidationClaims.builder().iss(jWTClaimsSet.getIssuer()).time(jWTClaimsSet.getIssueTime().getTime() / 1000).type("http://id.swedenconnect.se/svt/timeval-type/svt/01").id(jWTClaimsSet.getJWTID()).val(Arrays.asList(PolicyValidationClaims.builder().pol("http://id.swedenconnect.se/svt/sigval-policy/pkix/01").res(ValidationConclusion.PASSED).build())).build());
            extendedXmlSigvalResult.setTimeValidationResults((List) time_val.stream().map(timeValidationClaims -> {
                return new TimeValidationResult(timeValidationClaims, (CertificateValidationResult) null, (TimeStamp) null);
            }).collect(Collectors.toList()));
            return extendedXmlSigvalResult;
        } catch (Exception e) {
            extendedXmlSigvalResult.setStatus(SignatureValidationResult.Status.ERROR_INVALID_SIGNATURE);
            extendedXmlSigvalResult.setStatusMessage("Unable to process SVA token or signature data");
            return extendedXmlSigvalResult;
        }
    }
}
