package xsul.dsig.globus;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.PrintWriter;
import java.security.Key;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.cert.CertificateExpiredException;
import java.security.cert.X509Certificate;
import org.apache.axiom.om.util.DigestGenerator;
import org.apache.xml.security.Init;
import org.apache.xml.security.algorithms.SignatureAlgorithm;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.keys.content.X509Data;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.signature.XMLSignatureException;
import org.apache.xml.security.utils.HexDump;
import org.apache.xml.security.utils.XMLUtils;
import org.apache.xml.security.utils.resolver.ResourceResolverSpi;
import org.apache.xml.serialize.OutputFormat;
import org.apache.xml.serialize.XMLSerializer;
import org.apache.xpath.CachedXPathAPI;
import org.globus.gsi.CertUtil;
import org.globus.gsi.GlobusCredential;
import org.globus.gsi.proxy.ProxyPathValidator;
import org.globus.gsi.proxy.ProxyPathValidatorException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import xsul.MLogger;
import xsul.XsulException;
import xsul.dsig.SOAPEnvelopeVerifier;
import xsul.dsig.SignatureInfo;
import xsul.dsig.globus.security.authentication.SOAPBodyIdResolver;
import xsul.dsig.globus.security.authentication.wssec.BinarySecurityToken;
import xsul.dsig.globus.security.authentication.wssec.BinarySecurityTokenFactory;
import xsul.dsig.globus.security.authentication.wssec.PKIPathSecurityToken;
import xsul.dsig.globus.security.authentication.wssec.Reference;
import xsul.dsig.globus.security.authentication.wssec.SecurityTokenReference;
import xsul.dsig.globus.security.authentication.wssec.WSSecurityException;
import xsul.dsig.globus.security.authentication.wssec.WSSecurityIdResolver;
import xsul.dsig.globus.security.authentication.wssec.WSSecurityUtil;
import xsul.dsig.globus.security.authentication.wssec.X509SecurityToken;
import xsul.util.XsulUtil;

/* loaded from: input_file:WEB-INF/lib/xsul-2.10.5_b.jar:xsul/dsig/globus/GlobusCredSOAPEnvelopeVerifier.class */
public class GlobusCredSOAPEnvelopeVerifier extends SOAPEnvelopeVerifier {
    private static final boolean HEAVY_TRACING = false;
    private static final MLogger logger = MLogger.getLogger();
    private static GlobusCredSOAPEnvelopeVerifier instance;
    protected X509Certificate[] trustedCerts;

    public static synchronized GlobusCredSOAPEnvelopeVerifier getInstance() {
        if (instance == null) {
            instance = new GlobusCredSOAPEnvelopeVerifier();
        }
        return instance;
    }

    public static GlobusCredSOAPEnvelopeVerifier getInstance(GlobusCredential globusCredential) {
        return getInstance(globusCredential, null);
    }

    public static GlobusCredSOAPEnvelopeVerifier getInstance(GlobusCredential globusCredential, X509Certificate[] x509CertificateArr) throws XsulException {
        if (globusCredential == null) {
            throw new XsulException("globus credential can not be null");
        }
        return new GlobusCredSOAPEnvelopeVerifier(x509CertificateArr);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public GlobusCredSOAPEnvelopeVerifier() {
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public GlobusCredSOAPEnvelopeVerifier(X509Certificate[] x509CertificateArr) {
        this.trustedCerts = x509CertificateArr;
    }

    protected X509Certificate[] getCertificatesX509Data(KeyInfo keyInfo) throws Exception {
        int lengthX509Data = keyInfo.lengthX509Data();
        if (lengthX509Data != 1) {
            throw new WSSecurityException(0, "invalidX509Data", new Object[]{new Integer(lengthX509Data)});
        }
        X509Data itemX509Data = keyInfo.itemX509Data(0);
        int lengthCertificate = itemX509Data.lengthCertificate();
        if (lengthCertificate <= 0) {
            throw new WSSecurityException(0, "invalidCertData", new Object[]{new Integer(lengthCertificate)});
        }
        X509Certificate[] x509CertificateArr = new X509Certificate[lengthCertificate];
        for (int i = 0; i < lengthCertificate; i++) {
            x509CertificateArr[i] = CertUtil.loadCertificate(new ByteArrayInputStream(itemX509Data.itemCertificate(i).getCertificateBytes()));
        }
        return x509CertificateArr;
    }

    protected X509Certificate[] getCertificatesTokenReference(Element element) throws Exception {
        Reference reference = new SecurityTokenReference(element).getReference();
        if (reference == null) {
            throw new WSSecurityException(3, "noReference");
        }
        String uri = reference.getURI();
        logger.info("Token reference uri: " + uri);
        if (uri == null) {
            throw new WSSecurityException(3, "badReferenceURI");
        }
        Element elementById = WSSecurityIdResolver.getInstance().getElementById(element.getOwnerDocument(), uri);
        if (elementById == null) {
            throw new WSSecurityException(7, "noToken", new Object[]{uri});
        }
        BinarySecurityToken createSecurityToken = BinarySecurityTokenFactory.getInstance().createSecurityToken(elementById);
        if (createSecurityToken instanceof PKIPathSecurityToken) {
            return ((PKIPathSecurityToken) createSecurityToken).getX509Certificates(true);
        }
        if (createSecurityToken instanceof X509SecurityToken) {
            return new X509Certificate[]{((X509SecurityToken) createSecurityToken).getX509Certificate()};
        }
        System.out.println("###############" + createSecurityToken);
        throw new WSSecurityException(1, "unhandledToken", new Object[]{createSecurityToken.getClass().getName()});
    }

    protected ResourceResolverSpi getResourceResolver() {
        return SOAPBodyIdResolver.getInstance();
    }

    @Override // xsul.dsig.SOAPEnvelopeVerifier
    public SignatureInfo verifySoapMessage(Document document) throws XsulException {
        X509Certificate[] certificatesTokenReference;
        try {
            if (logger.getLevel().equals(MLogger.Level.ALL)) {
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                XMLSerializer xMLSerializer = new XMLSerializer(new PrintWriter(byteArrayOutputStream), (OutputFormat) null);
                xMLSerializer.asDOMSerializer();
                xMLSerializer.serialize(document);
                logger.finest("SIGNATUR2_XML_START\n" + XsulUtil.printable(byteArrayOutputStream.toString()) + "\nSIGNATUR2_XML_END\n");
            }
            CachedXPathAPI cachedXPathAPI = new CachedXPathAPI();
            Element createElement = document.createElement("nsctx");
            createElement.setAttribute("xmlns:ds", "http://www.w3.org/2000/09/xmldsig#");
            Element element = (Element) cachedXPathAPI.selectSingleNode(document, "//ds:Signature", createElement);
            if (element == null) {
                throw new XsulException("could not find ds:Signature in envelope");
            }
            XMLSignature xMLSignature = new XMLSignature(element, (String) null);
            KeyInfo keyInfo = xMLSignature.getKeyInfo();
            xMLSignature.getSignedInfo().addResourceResolver(getResourceResolver());
            if (keyInfo.containsX509Data()) {
                logger.info("keyinfo contains x509 data");
                certificatesTokenReference = getCertificatesX509Data(keyInfo);
            } else {
                logger.info("try to get x509 data from security token");
                Node directChild = WSSecurityUtil.getDirectChild(keyInfo.getElement(), SecurityTokenReference.TOKEN.getLocalPart(), SecurityTokenReference.TOKEN.getNamespaceURI());
                if (directChild == null) {
                    throw new WSSecurityException(3, "unsupportedKeyInfo", null);
                }
                certificatesTokenReference = getCertificatesTokenReference((Element) directChild);
                logger.info("cert0: " + certificatesTokenReference[0]);
            }
            try {
                certificatesTokenReference[0].checkValidity();
                xMLSignature.setFollowNestedManifests(false);
                Principal subjectDN = certificatesTokenReference[0].getSubjectDN();
                if (this.trustedCerts != null) {
                    try {
                        new ProxyPathValidator().validate(certificatesTokenReference, this.trustedCerts);
                    } catch (ProxyPathValidatorException e) {
                        if (!checkSignatureValue(xMLSignature, certificatesTokenReference[0].getPublicKey())) {
                            ByteArrayOutputStream byteArrayOutputStream2 = new ByteArrayOutputStream();
                            XMLUtils.outputDOM(element, byteArrayOutputStream2);
                            byteArrayOutputStream2.close();
                            throw new XsulException("could not verify signature for " + byteArrayOutputStream2.toString(), e);
                        }
                    }
                } else if (!checkSignatureValue(xMLSignature, certificatesTokenReference[0].getPublicKey())) {
                    logger.finest("cred pubkey: " + GlobusCredential.getDefaultCredential().getCertificateChain()[0]);
                    throw new XsulException("could not verify signature for message signed by " + subjectDN + " using " + certificatesTokenReference[0]);
                }
                logger.finest("The signature is valid");
                return extractSignatureInfo(subjectDN, element);
            } catch (CertificateExpiredException e2) {
                throw new XsulException("expired certificate identifed by " + certificatesTokenReference[0].getSubjectDN() + " used for signing of message certificate is " + certificatesTokenReference[0], e2);
            }
        } catch (Exception e3) {
            e3.printStackTrace();
            throw new XsulException("could not verify signature " + e3, e3);
        }
    }

    protected SignatureInfo extractSignatureInfo(Principal principal, Element element) throws Exception {
        return new GlobusSignatureInfo(principal);
    }

    public static boolean checkSignatureValue(XMLSignature xMLSignature, Key key) throws XMLSignatureException {
        if (key == null) {
            throw new XMLSignatureException("empty", new Object[]{"Didn't get a key"});
        }
        try {
            if (!xMLSignature.getSignedInfo().verify(false)) {
                return false;
            }
            SignatureAlgorithm signatureAlgorithm = new SignatureAlgorithm(xMLSignature.getSignedInfo().getSignatureMethodElement(), xMLSignature.getBaseURI());
            logger.finest("SignatureMethodURI = " + signatureAlgorithm.getAlgorithmURI());
            logger.finest("jceSigAlgorithm    = " + signatureAlgorithm.getJCEAlgorithmString());
            logger.finest("jceSigProvider     = " + signatureAlgorithm.getJCEProviderName());
            logger.finest("PublicKey = " + key);
            signatureAlgorithm.initVerify(key);
            signatureAlgorithm.update(xMLSignature.getSignedInfo().getCanonicalizedOctetStream());
            boolean verify = signatureAlgorithm.verify(xMLSignature.getSignatureValue());
            logger.finest("XXX verify=" + verify);
            return verify;
        } catch (XMLSecurityException e) {
            throw new XMLSignatureException("empty", e);
        }
    }

    public static String SHA1(byte[] bArr) {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance(DigestGenerator.shaDigestAlgorithm);
            messageDigest.update(bArr);
            return HexDump.byteArrayToHexString(messageDigest.digest());
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    static {
        Init.init();
    }
}
