package se.idsec.sigval.xml.svt;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jwt.SignedJWT;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import org.apache.commons.lang.StringUtils;
import org.bouncycastle.util.encoders.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import se.idsec.signservice.security.certificate.CertificateValidator;
import se.idsec.sigval.commons.algorithms.DigestAlgorithm;
import se.idsec.sigval.commons.algorithms.DigestAlgorithmRegistry;
import se.idsec.sigval.commons.utils.SVAUtils;
import se.idsec.sigval.svt.algorithms.SVTAlgoRegistry;
import se.idsec.sigval.svt.claims.SVTClaims;
import se.idsec.sigval.svt.claims.SigReferenceClaims;
import se.idsec.sigval.svt.claims.SignatureClaims;
import se.idsec.sigval.svt.claims.SignedDataClaims;
import se.idsec.sigval.svt.validation.SVTValidator;
import se.idsec.sigval.svt.validation.SignatureSVTData;
import se.idsec.sigval.xml.xmlstruct.SignatureData;
import se.idsec.sigval.xml.xmlstruct.XMLSigConstants;

/* loaded from: input_file:se/idsec/sigval/xml/svt/XMLSVTValidator.class */
public class XMLSVTValidator extends SVTValidator<XMLSigValInput> implements XMLSigConstants {
    private static final Logger log = LoggerFactory.getLogger(XMLSVTValidator.class);
    private final CertificateValidator svaCertVerifier;
    private final List<X509Certificate> supportingCertificates;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:se/idsec/sigval/xml/svt/XMLSVTValidator$JWTCerts.class */
    public class JWTCerts {
        private X509Certificate signingCert;
        private List<X509Certificate> supportingCertList;

        public X509Certificate getSigningCert() {
            return this.signingCert;
        }

        public List<X509Certificate> getSupportingCertList() {
            return this.supportingCertList;
        }

        public void setSigningCert(X509Certificate x509Certificate) {
            this.signingCert = x509Certificate;
        }

        public void setSupportingCertList(List<X509Certificate> list) {
            this.supportingCertList = list;
        }

        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof JWTCerts)) {
                return false;
            }
            JWTCerts jWTCerts = (JWTCerts) obj;
            if (!jWTCerts.canEqual(this)) {
                return false;
            }
            X509Certificate signingCert = getSigningCert();
            X509Certificate signingCert2 = jWTCerts.getSigningCert();
            if (signingCert == null) {
                if (signingCert2 != null) {
                    return false;
                }
            } else if (!signingCert.equals(signingCert2)) {
                return false;
            }
            List<X509Certificate> supportingCertList = getSupportingCertList();
            List<X509Certificate> supportingCertList2 = jWTCerts.getSupportingCertList();
            return supportingCertList == null ? supportingCertList2 == null : supportingCertList.equals(supportingCertList2);
        }

        protected boolean canEqual(Object obj) {
            return obj instanceof JWTCerts;
        }

        public int hashCode() {
            X509Certificate signingCert = getSigningCert();
            int hashCode = (1 * 59) + (signingCert == null ? 43 : signingCert.hashCode());
            List<X509Certificate> supportingCertList = getSupportingCertList();
            return (hashCode * 59) + (supportingCertList == null ? 43 : supportingCertList.hashCode());
        }

        public String toString() {
            return "XMLSVTValidator.JWTCerts(signingCert=" + getSigningCert() + ", supportingCertList=" + getSupportingCertList() + ")";
        }

        public JWTCerts(X509Certificate x509Certificate, List<X509Certificate> list) {
            this.signingCert = x509Certificate;
            this.supportingCertList = list;
        }
    }

    public XMLSVTValidator(CertificateValidator certificateValidator) {
        this.svaCertVerifier = certificateValidator;
        this.supportingCertificates = new ArrayList();
    }

    public XMLSVTValidator(CertificateValidator certificateValidator, List<X509Certificate> list) {
        this.svaCertVerifier = certificateValidator;
        this.supportingCertificates = list != null ? list : new ArrayList<>();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public List<SignatureSVTData> getSignatureSVTData(XMLSigValInput xMLSigValInput) throws Exception {
        List<String> signatureSvaTokens = getSignatureSvaTokens(xMLSigValInput.getSignatureElement());
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = signatureSvaTokens.iterator();
        while (it.hasNext()) {
            try {
                SignedJWT parse = SignedJWT.parse(it.next());
                verifyJWT(parse);
                arrayList.add(parse);
            } catch (Exception e) {
                log.debug("Failed to parse and validate SVT {}", e.getMessage());
            }
        }
        return Arrays.asList(collectSignatureSVTData(xMLSigValInput, SVAUtils.getMostRecentJwt(arrayList)));
    }

    private SignatureSVTData collectSignatureSVTData(XMLSigValInput xMLSigValInput, SignedJWT signedJWT) throws Exception {
        SignatureSVTData.SignatureSVTDataBuilder builder = SignatureSVTData.builder();
        SVTClaims sVTClaims = SVAUtils.getSVTClaims(signedJWT.getJWTClaimsSet());
        DigestAlgorithm digestAlgorithm = DigestAlgorithmRegistry.get(sVTClaims.getHash_algo());
        SignatureData signatureData = xMLSigValInput.getSignatureData();
        builder.signedJWT(signedJWT);
        String base64Digest = toBase64Digest(signatureData.getSignatureBytes(), digestAlgorithm);
        builder.signatureReference(SigReferenceClaims.builder().id(signatureData.getSignature().getId()).sig_hash(base64Digest).sb_hash(toBase64Digest(signatureData.getSignedInfoBytes(), digestAlgorithm)).build());
        Optional findFirst = sVTClaims.getSig().stream().filter(signatureClaims -> {
            return signatureClaims.getSig_ref().getSig_hash().equals(base64Digest);
        }).findFirst();
        if (!findFirst.isPresent()) {
            throw new RuntimeException("The validated SVT claims does not match the present signature");
        }
        builder.signatureClaims((SignatureClaims) findFirst.get());
        ArrayList arrayList = new ArrayList();
        Map<String, byte[]> refDataMap = signatureData.getRefDataMap();
        for (String str : refDataMap.keySet()) {
            arrayList.add(SignedDataClaims.builder().ref(str).hash(toBase64Digest(refDataMap.get(str), digestAlgorithm)).build());
        }
        builder.signedDataRefList(arrayList);
        Iterator<X509Certificate> it = signatureData.getSignatureCertChain().iterator();
        ArrayList arrayList2 = new ArrayList();
        while (it.hasNext()) {
            arrayList2.add(it.next().getEncoded());
        }
        builder.signerCertChain(arrayList2);
        return builder.build();
    }

    private String toBase64Digest(byte[] bArr, DigestAlgorithm digestAlgorithm) throws NoSuchAlgorithmException {
        return Base64.toBase64String(digestAlgorithm.getInstance().digest(bArr));
    }

    private void verifyJWT(SignedJWT signedJWT) throws Exception {
        JWTCerts allJwtCerts = getAllJwtCerts(signedJWT.getHeader().getAlgorithm(), signedJWT.getHeader().getKeyID(), getJWTCerts(signedJWT.getHeader().getX509CertChain()));
        if (allJwtCerts.getSigningCert() == null) {
            throw new IOException("Unable to locate a SVT signing certificate");
        }
        this.svaCertVerifier.validate(allJwtCerts.getSigningCert(), allJwtCerts.getSupportingCertList(), (List) null);
        SVAUtils.verifySVA(signedJWT, allJwtCerts.signingCert.getPublicKey());
    }

    private JWTCerts getAllJwtCerts(JWSAlgorithm jWSAlgorithm, String str, List<X509Certificate> list) throws Exception {
        X509Certificate x509Certificate;
        if (StringUtils.isNotEmpty(str)) {
            Optional<X509Certificate> findFirst = this.supportingCertificates.stream().filter(x509Certificate2 -> {
                return certMatchKeyId(x509Certificate2, str, jWSAlgorithm);
            }).findFirst();
            if (findFirst.isPresent()) {
                x509Certificate = findFirst.get();
            } else {
                Optional<X509Certificate> findFirst2 = list.stream().filter(x509Certificate3 -> {
                    return certMatchKeyId(x509Certificate3, str, jWSAlgorithm);
                }).findFirst();
                x509Certificate = findFirst2.isPresent() ? findFirst2.get() : null;
            }
            if (x509Certificate == null) {
                return new JWTCerts(null, null);
            }
        } else {
            if (list.isEmpty()) {
                return new JWTCerts(null, null);
            }
            x509Certificate = list.get(0);
        }
        ArrayList arrayList = new ArrayList();
        this.supportingCertificates.stream().forEach(x509Certificate4 -> {
            arrayList.add(x509Certificate4);
        });
        list.stream().forEach(x509Certificate5 -> {
            arrayList.add(x509Certificate5);
        });
        return new JWTCerts(x509Certificate, arrayList);
    }

    private boolean certMatchKeyId(X509Certificate x509Certificate, String str, JWSAlgorithm jWSAlgorithm) {
        try {
            return str.equals(Base64.toBase64String(MessageDigest.getInstance(SVTAlgoRegistry.getAlgoParams(jWSAlgorithm).getDigestInstanceName()).digest(x509Certificate.getEncoded())));
        } catch (Exception e) {
            return false;
        }
    }

    private List<X509Certificate> getJWTCerts(List<com.nimbusds.jose.util.Base64> list) {
        return list == null ? new ArrayList() : (List) list.stream().map(base64 -> {
            return SVAUtils.getCertOrNull(base64.decode());
        }).filter(x509Certificate -> {
            return x509Certificate != null;
        }).collect(Collectors.toList());
    }

    private List<String> getSignatureSvaTokens(Element element) {
        NodeList elementsByTagNameNS = element.getElementsByTagNameNS(XMLSigConstants.XMLDSIG_NS, "Object");
        if (elementsByTagNameNS == null || elementsByTagNameNS.getLength() == 0) {
            return new ArrayList();
        }
        ArrayList arrayList = new ArrayList();
        for (int i = 0; i < elementsByTagNameNS.getLength(); i++) {
            try {
                NodeList elementsByTagNameNS2 = ((Element) elementsByTagNameNS.item(i)).getElementsByTagNameNS(XMLSigConstants.XML_SVT_NS, "SignatureValidationToken");
                if (elementsByTagNameNS2 != null && elementsByTagNameNS2.getLength() != 0) {
                    for (int i2 = 0; i2 < elementsByTagNameNS2.getLength(); i2++) {
                        arrayList.add(((Element) elementsByTagNameNS2.item(i2)).getTextContent());
                    }
                }
            } catch (Exception e) {
                log.debug("Error parsing SVT data from signature object node {}", e.getMessage());
            }
        }
        return arrayList;
    }
}
