package org.apache.juddi.v3.client.cryptor;

import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.StringWriter;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Security;
import java.security.cert.CRLException;
import java.security.cert.CertPathValidator;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.PKIXParameters;
import java.security.cert.X509CRL;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.Properties;
import java.util.concurrent.atomic.AtomicReference;
import javax.security.auth.x500.X500Principal;
import javax.xml.bind.JAXB;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.crypto.dsig.spec.DigestMethodParameterSpec;
import javax.xml.crypto.dsig.spec.SignatureMethodParameterSpec;
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
import javax.xml.transform.dom.DOMResult;
import javax.xml.transform.dom.DOMSource;
import org.apache.commons.configuration.tree.DefaultExpressionEngine;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import sun.security.provider.certpath.OCSP;

/* JADX WARN: Classes with same name are omitted:
  input_file:applets/juddi-gui-dsig-all.jar:org/apache/juddi/v3/client/cryptor/DigSigUtil.class
 */
/* loaded from: input_file:WEB-INF/lib/juddi-client-3.3.2.jar:org/apache/juddi/v3/client/cryptor/DigSigUtil.class */
public class DigSigUtil {
    public static final String SIGNATURE_KEYSTORE_KEY_PASSWORD_PROVIDER = "signatureKeystoreKeyPassENCProvider";
    public static final String SIGNATURE_KEYSTORE_KEY_PASSWORD_WAS_ENC = "signatureKeystoreKeyPassENC";
    public static final String SIGNATURE_KEYSTORE_KEY_PASSWORD_CIPHER = "signatureKeyStoreCipherPass";
    public static final String SIGNATURE_KEYSTORE_FILE_PASSWORD_WASENC = "signatureKeystoreFilePassENC";
    public static final String SIGNATURE_KEYSTORE_FILE_PASSWORD_PROVIDER = "signatureKeystoreFileENCProvider";
    public static final String TRUSTSTORE_FILE_PASSWORD_WASENC = "truststoreFilePassENC";
    public static final String TRUSTSTORE_FILE_PASSWORD_PROVIDER = "truststoreFilePassENCProvider";
    public static final String SIGNATURE_KEYSTORE_FILE_PASSWORD_CIPHER = "signatureKeystoreFileKeyPass";
    public static final String TRUSTSTORE_FILE_PASSWORD_CIPHER = "truststoreFilePass";
    private Log logger;
    private Properties map;
    public static final String SIGNATURE_KEYSTORE_FILE = "keyStorePath";
    public static final String SIGNATURE_KEYSTORE_FILETYPE = "keyStoreType";
    public static final String SIGNATURE_KEYSTORE_FILE_PASSWORD = "filePassword";
    public static final String SIGNATURE_KEYSTORE_KEY_PASSWORD = "keyPassword";
    public static final String SIGNATURE_KEYSTORE_KEY_ALIAS = "keyAlias";
    public static final String TRUSTSTORE_FILE = "trustStorePath";
    public static final String TRUSTSTORE_FILETYPE = "trustStoreType";
    public static final String TRUSTSTORE_FILE_PASSWORD = "trustStorePassword";
    public static final String CANONICALIZATIONMETHOD = "CanonicalizationMethod";
    public static final String SIGNATURE_METHOD = "SignatureMethod";
    public static final String SIGNATURE_OPTION_CERT_INCLUSION_BASE64 = "BASE64";
    public static final String SIGNATURE_OPTION_CERT_INCLUSION_SERIAL = "SERIAL";
    public static final String SIGNATURE_OPTION_CERT_INCLUSION_SUBJECTDN = "SUBJECTDN";
    public static final String XML_DIGSIG_NS = "http://www.w3.org/2000/09/xmldsig#";
    public static final String SIGNATURE_OPTION_DIGEST_METHOD = "digestMethod";
    public static final String CHECK_TIMESTAMPS = "checkTimestamps";
    private CertificateFactory cf;
    public static final String CHECK_REVOCATION_STATUS_OCSP = "checkRevocationOCSP";
    public static final String CHECK_REVOCATION_STATUS_CRL = "checkRevocationCRL";
    public static final String CHECK_TRUST_CHAIN = "checkTrust";

    public DigSigUtil(Properties properties) throws CertificateException {
        this.logger = LogFactory.getLog(getClass());
        this.map = new Properties();
        this.cf = null;
        this.cf = CertificateFactory.getInstance("X.509");
        this.map = properties;
    }

    public DigSigUtil() throws CertificateException {
        this.logger = LogFactory.getLog(getClass());
        this.map = new Properties();
        this.cf = null;
        this.cf = CertificateFactory.getInstance("X.509");
    }

    public void put(String str, String str2) {
        this.map.put(str, str2);
    }

    public void clear() {
        this.map.clear();
    }

    public <T> T signUddiEntity(T t) {
        KeyStore.PrivateKeyEntry privateKeyEntry;
        DOMResult dOMResult = new DOMResult();
        JAXB.marshal(t, dOMResult);
        Document document = (Document) dOMResult.getNode();
        Element documentElement = document.getDocumentElement();
        try {
            KeyStore keyStore = KeyStore.getInstance(this.map.getProperty(SIGNATURE_KEYSTORE_FILETYPE));
            URL resource = Thread.currentThread().getContextClassLoader().getResource(this.map.getProperty(SIGNATURE_KEYSTORE_FILE));
            if (resource == null) {
                try {
                    resource = new File(this.map.getProperty(SIGNATURE_KEYSTORE_FILE)).toURI().toURL();
                } catch (Exception e) {
                }
            }
            if (resource == null) {
                try {
                    resource = getClass().getClassLoader().getResource(this.map.getProperty(SIGNATURE_KEYSTORE_FILE));
                } catch (Exception e2) {
                }
            }
            if (this.map.getProperty(SIGNATURE_KEYSTORE_FILETYPE).equalsIgnoreCase("WINDOWS-MY")) {
                keyStore.load(null, null);
                privateKeyEntry = (KeyStore.PrivateKeyEntry) keyStore.getEntry(this.map.getProperty(SIGNATURE_KEYSTORE_KEY_ALIAS), null);
            } else {
                keyStore.load(resource.openStream(), this.map.getProperty(SIGNATURE_KEYSTORE_FILE_PASSWORD).toCharArray());
                privateKeyEntry = this.map.getProperty(SIGNATURE_KEYSTORE_KEY_PASSWORD) == null ? (KeyStore.PrivateKeyEntry) keyStore.getEntry(this.map.getProperty(SIGNATURE_KEYSTORE_KEY_ALIAS), new KeyStore.PasswordProtection(this.map.getProperty(SIGNATURE_KEYSTORE_FILE_PASSWORD).toCharArray())) : (KeyStore.PrivateKeyEntry) keyStore.getEntry(this.map.getProperty(SIGNATURE_KEYSTORE_KEY_ALIAS), new KeyStore.PasswordProtection(this.map.getProperty(SIGNATURE_KEYSTORE_KEY_PASSWORD).toCharArray()));
            }
            signDOM(documentElement, privateKeyEntry.getPrivateKey(), privateKeyEntry.getCertificate());
            return (T) JAXB.unmarshal(new DOMSource(document), t.getClass());
        } catch (Exception e3) {
            throw new RuntimeException("Signature failure due to: " + e3.getMessage(), e3);
        }
    }

    public <T> T signUddiEntity(T t, Certificate certificate, PrivateKey privateKey) {
        DOMResult dOMResult = new DOMResult();
        JAXB.marshal(t, dOMResult);
        Document document = (Document) dOMResult.getNode();
        try {
            signDOM(document.getDocumentElement(), privateKey, certificate);
            return (T) JAXB.unmarshal(new DOMSource(document), t.getClass());
        } catch (Exception e) {
            throw new RuntimeException("Signature failure due to: " + e.getMessage(), e);
        }
    }

    public static void JAXB_ToStdOut(Object obj) {
        StringWriter stringWriter = new StringWriter();
        JAXB.marshal(obj, stringWriter);
        System.out.println(stringWriter.toString());
    }

    public static String JAXB_ToString(Object obj) {
        StringWriter stringWriter = new StringWriter();
        JAXB.marshal(obj, stringWriter);
        return stringWriter.toString();
    }

    public X509Certificate getSigningCertificatePublicKey(Object obj) throws IllegalArgumentException, CertificateException {
        DOMResult dOMResult = new DOMResult();
        JAXB.marshal(obj, dOMResult);
        return getSigningCertificatePublicKey(((Document) dOMResult.getNode()).getDocumentElement());
    }

    private X509Certificate getSigningCertificatePublicKey(Element element) throws IllegalArgumentException, CertificateException {
        if (element == null) {
            throw new IllegalArgumentException();
        }
        NodeList childNodes = element.getChildNodes();
        for (int i = 0; i < childNodes.getLength(); i++) {
            if (childNodes.item(i).getNamespaceURI().equalsIgnoreCase("http://www.w3.org/2000/09/xmldsig#") && childNodes.item(i).getLocalName().equalsIgnoreCase("Signature")) {
                Node item = childNodes.item(i);
                for (int i2 = 0; i2 < item.getChildNodes().getLength(); i2++) {
                    if ("KeyInfo".equalsIgnoreCase(item.getChildNodes().item(i2).getLocalName())) {
                        for (int i3 = 0; i3 < item.getChildNodes().item(i2).getChildNodes().getLength(); i3++) {
                            if ("X509Data".equalsIgnoreCase(item.getChildNodes().item(i2).getChildNodes().item(i3).getLocalName())) {
                                Node item2 = item.getChildNodes().item(i2).getChildNodes().item(i3);
                                for (int i4 = 0; i4 < item2.getChildNodes().getLength(); i4++) {
                                    if ("X509Certificate".equalsIgnoreCase(item2.getChildNodes().item(i4).getLocalName())) {
                                        X509Certificate x509Certificate = (X509Certificate) this.cf.generateCertificate(new ByteArrayInputStream(("-----BEGIN CERTIFICATE-----\n" + item2.getChildNodes().item(i4).getTextContent() + "\n-----END CERTIFICATE-----").getBytes()));
                                        this.logger.info("embedded certificate found, X509 public key " + x509Certificate.getSubjectDN().toString());
                                        return x509Certificate;
                                    }
                                }
                                X509Certificate FindCert = FindCert(item2.getChildNodes());
                                if (FindCert != null) {
                                    this.logger.info("certificate loaded from local trust store, X509 public key " + FindCert.getSubjectDN().toString());
                                    return FindCert;
                                }
                            }
                        }
                        return null;
                    }
                }
                return null;
            }
        }
        return null;
    }

    public boolean verifySignedUddiEntity(Object obj, AtomicReference<String> atomicReference) throws IllegalArgumentException {
        if (atomicReference == null) {
            atomicReference = new AtomicReference<>();
            atomicReference.set("");
        }
        if (obj == null) {
            throw new IllegalArgumentException("obj");
        }
        try {
            DOMResult dOMResult = new DOMResult();
            JAXB.marshal(obj, dOMResult);
            Element documentElement = ((Document) dOMResult.getNode()).getDocumentElement();
            X509Certificate signingCertificatePublicKey = getSigningCertificatePublicKey(documentElement);
            if (signingCertificatePublicKey == null) {
                this.logger.info("signature did not have an embedded X509 public key. reverting to user specified certificate");
                KeyStore keyStore = KeyStore.getInstance(this.map.getProperty(SIGNATURE_KEYSTORE_FILETYPE));
                URL resource = Thread.currentThread().getContextClassLoader().getResource(this.map.getProperty(SIGNATURE_KEYSTORE_FILE));
                if (resource == null) {
                    try {
                        resource = new File(this.map.getProperty(SIGNATURE_KEYSTORE_FILE)).toURI().toURL();
                    } catch (Exception e) {
                    }
                }
                if (resource == null) {
                    try {
                        resource = getClass().getClassLoader().getResource(this.map.getProperty(SIGNATURE_KEYSTORE_FILE));
                    } catch (Exception e2) {
                    }
                }
                if (resource == null) {
                    this.logger.error("");
                    atomicReference.set("The signed entity is signed but does not have a certificate attached andyou didn't specify a keystore for me to look it up in. " + atomicReference.get());
                    return false;
                }
                keyStore.load(resource.openStream(), this.map.getProperty(SIGNATURE_KEYSTORE_FILE_PASSWORD).toCharArray());
                Certificate certificate = (this.map.getProperty(SIGNATURE_KEYSTORE_KEY_PASSWORD) == null ? (KeyStore.PrivateKeyEntry) keyStore.getEntry(this.map.getProperty(SIGNATURE_KEYSTORE_KEY_ALIAS), new KeyStore.PasswordProtection(this.map.getProperty(SIGNATURE_KEYSTORE_FILE_PASSWORD).toCharArray())) : (KeyStore.PrivateKeyEntry) keyStore.getEntry(this.map.getProperty(SIGNATURE_KEYSTORE_KEY_ALIAS), new KeyStore.PasswordProtection(this.map.getProperty(SIGNATURE_KEYSTORE_KEY_PASSWORD).toCharArray()))).getCertificate();
                if (this.map.containsKey(CHECK_TIMESTAMPS) && (certificate.getPublicKey() instanceof X509Certificate)) {
                    ((X509Certificate) certificate.getPublicKey()).checkValidity();
                }
                return verifySignature(documentElement, certificate.getPublicKey(), atomicReference);
            }
            this.logger.info("verifying signature based on X509 public key " + signingCertificatePublicKey.getSubjectDN().toString());
            if (this.map.containsKey(CHECK_TIMESTAMPS) && Boolean.parseBoolean(this.map.getProperty(CHECK_TIMESTAMPS))) {
                signingCertificatePublicKey.checkValidity();
            }
            if (this.map.containsKey(CHECK_REVOCATION_STATUS_OCSP) && Boolean.parseBoolean(this.map.getProperty(CHECK_REVOCATION_STATUS_OCSP))) {
                this.logger.info("verifying revocation status via OSCP for X509 public key " + signingCertificatePublicKey.getSubjectDN().toString());
                X500Principal issuerX500Principal = signingCertificatePublicKey.getIssuerX500Principal();
                this.logger.info("certificate " + signingCertificatePublicKey.getSubjectDN().toString() + " was issued by " + issuerX500Principal.getName() + ", attempting to retrieve certificate");
                Security.setProperty("ocsp.enable", "false");
                X509Certificate FindCertByDN = FindCertByDN(issuerX500Principal);
                if (FindCertByDN == null) {
                    atomicReference.set("Unable to verify certificate status from OCSP because the issuer of the certificate is not in the trust store. " + atomicReference.get());
                } else {
                    OCSP.RevocationStatus check = OCSP.check(signingCertificatePublicKey, FindCertByDN);
                    this.logger.info("certificate " + signingCertificatePublicKey.getSubjectDN().toString() + " revocation status is " + check.getCertStatus().toString() + " reason " + check.getRevocationReason().toString());
                    if (check.getCertStatus() != OCSP.RevocationStatus.CertStatus.GOOD) {
                        atomicReference.set("Certificate status is " + check.getCertStatus().toString() + " reason " + check.getRevocationReason().toString() + DefaultExpressionEngine.DEFAULT_PROPERTY_DELIMITER + atomicReference.get());
                    }
                }
            }
            if (this.map.containsKey(CHECK_REVOCATION_STATUS_CRL) && Boolean.parseBoolean(this.map.getProperty(CHECK_REVOCATION_STATUS_CRL))) {
                this.logger.info("verifying revokation status via CRL for X509 public key " + signingCertificatePublicKey.getSubjectDN().toString());
                Security.setProperty("ocsp.enable", "false");
                System.setProperty("com.sun.security.enableCRLDP", "true");
                new X509CertSelector().setCertificate(signingCertificatePublicKey);
                PKIXParameters pKIXParameters = new PKIXParameters(GetTrustStore());
                pKIXParameters.setRevocationEnabled(true);
                try {
                    this.logger.info("revokation status via CRL PASSED for X509 public key " + signingCertificatePublicKey.getSubjectDN().toString());
                } catch (Exception e3) {
                    atomicReference.set("Certificate status is via CRL Failed: " + e3.getMessage() + DefaultExpressionEngine.DEFAULT_PROPERTY_DELIMITER + atomicReference.get());
                }
            }
            if (this.map.containsKey(CHECK_TRUST_CHAIN) && Boolean.parseBoolean(this.map.getProperty(CHECK_TRUST_CHAIN))) {
                this.logger.info("verifying trust chain X509 public key " + signingCertificatePublicKey.getSubjectDN().toString());
                try {
                    PKIXParameters pKIXParameters2 = new PKIXParameters(GetTrustStore());
                    pKIXParameters2.setRevocationEnabled(false);
                    ((PKIXCertPathValidatorResult) CertPathValidator.getInstance(CertPathValidator.getDefaultType()).validate(this.cf.generateCertPath(Arrays.asList(signingCertificatePublicKey)), pKIXParameters2)).getTrustAnchor().getTrustedCert();
                    this.logger.info("trust chain validated X509 public key " + signingCertificatePublicKey.getSubjectDN().toString());
                } catch (Exception e4) {
                    atomicReference.set("Certificate status Trust validation failed: " + e4.getMessage() + DefaultExpressionEngine.DEFAULT_PROPERTY_DELIMITER + atomicReference.get());
                }
            }
            return (atomicReference.get() == null || atomicReference.get().length() == 0) && verifySignature(documentElement, signingCertificatePublicKey.getPublicKey(), atomicReference);
        } catch (Exception e5) {
            this.logger.error("Error caught validating signature", e5);
            atomicReference.set(e5.getMessage());
            return false;
        }
    }

    private KeyStore GetTrustStore() throws Exception {
        String property = this.map.getProperty(TRUSTSTORE_FILETYPE);
        if (property == null) {
            property = "JKS";
        }
        KeyStore keyStore = KeyStore.getInstance(property);
        boolean z = false;
        if (0 == 0) {
            String property2 = System.getProperty("javax.net.ssl.keyStore");
            try {
                String property3 = System.getProperty("javax.net.ssl.keyStorePassword");
                if (property2 != null && property3 != null) {
                    keyStore.load(new File(property2).toURI().toURL().openStream(), property3.toCharArray());
                    z = true;
                    this.logger.info("trust store loaded from sysprop " + property2);
                }
            } catch (Exception e) {
                this.logger.warn("unable to load truststore from sysprop " + property2 + StringUtils.SPACE + e.getMessage());
                this.logger.debug("unable to load truststore from sysprop " + e.getMessage(), e);
            }
        }
        File file = new File(this.map.getProperty(TRUSTSTORE_FILE));
        if (!z) {
            try {
                if (file.exists()) {
                    keyStore.load(file.toURI().toURL().openStream(), this.map.getProperty(TRUSTSTORE_FILE_PASSWORD).toCharArray());
                    z = true;
                    this.logger.info("trust store loaded from file " + this.map.getProperty(TRUSTSTORE_FILE));
                }
            } catch (Exception e2) {
                this.logger.warn("unable to load truststore from file " + this.map.getProperty(TRUSTSTORE_FILE) + StringUtils.SPACE + e2.getMessage());
                this.logger.debug("unable to load truststore from file " + e2.getMessage(), e2);
            }
        }
        if (!z) {
            try {
                if (file.exists()) {
                    FileInputStream fileInputStream = new FileInputStream(file);
                    keyStore.load(fileInputStream, this.map.getProperty(TRUSTSTORE_FILE_PASSWORD).toCharArray());
                    fileInputStream.close();
                    z = true;
                    this.logger.info("trust store loaded from file " + this.map.getProperty(TRUSTSTORE_FILE));
                }
            } catch (Exception e3) {
                this.logger.warn("unable to load truststore from file " + this.map.getProperty(TRUSTSTORE_FILE) + StringUtils.SPACE + e3.getMessage());
                this.logger.debug("unable to load truststore from file " + e3.getMessage(), e3);
            }
        }
        if (!z) {
            try {
                keyStore.load(Thread.currentThread().getContextClassLoader().getResource(this.map.getProperty(TRUSTSTORE_FILE)).openStream(), this.map.getProperty(TRUSTSTORE_FILE_PASSWORD).toCharArray());
                z = true;
                this.logger.info("trust store loaded from classpath(1) " + this.map.getProperty(TRUSTSTORE_FILE));
            } catch (Exception e4) {
                this.logger.warn("unable to load truststore from classpath" + this.map.getProperty(TRUSTSTORE_FILE) + StringUtils.SPACE + e4.getMessage());
                this.logger.debug("unable to load truststore from classpath", e4);
            }
        }
        if (!z) {
            try {
                keyStore.load(getClass().getClassLoader().getResource(this.map.getProperty(TRUSTSTORE_FILE)).openStream(), this.map.getProperty(TRUSTSTORE_FILE_PASSWORD).toCharArray());
                z = true;
                this.logger.info("trust store loaded from classpath(2) " + this.map.getProperty(TRUSTSTORE_FILE));
            } catch (Exception e5) {
                this.logger.warn("unable to load truststore from classpath " + this.map.getProperty(TRUSTSTORE_FILE) + StringUtils.SPACE + e5.getMessage());
                this.logger.debug("unable to load truststore from classpath", e5);
            }
        }
        if (!z) {
            try {
                URL url = new File(System.getenv("JAVA_HOME") + File.separator + "lib" + File.separator + "security" + File.separator + "cacerts").toURI().toURL();
                keyStore.load(url.openStream(), "changeit".toCharArray());
                this.logger.info("trust store loaded from JRE " + url.toExternalForm());
                z = true;
            } catch (Exception e6) {
                this.logger.warn("unable to load default JDK truststore " + e6.getMessage());
                this.logger.debug("unable to load default JDK truststore", e6);
            }
        }
        try {
            if (this.map.getProperty(TRUSTSTORE_FILETYPE).equalsIgnoreCase("WINDOWS-ROOT")) {
                keyStore.load(null, null);
                z = true;
                this.logger.info("trust store loaded from windows");
            }
        } catch (Exception e7) {
            this.logger.warn("unable to load truststore from windows " + e7.getMessage());
            this.logger.debug("unable to load truststore from windows", e7);
        }
        if (!z) {
            try {
                URL url2 = new File(System.getenv("JAVA_HOME") + File.separator + "jre" + File.separator + "lib" + File.separator + "security" + File.separator + "cacerts").toURI().toURL();
                keyStore.load(url2.openStream(), "changeit".toCharArray());
                this.logger.info("trust store loaded from JRE " + url2.toExternalForm());
                z = true;
            } catch (Exception e8) {
                this.logger.warn("unable to load default jdk/jre truststore " + e8.getMessage());
                this.logger.debug("unable to load default jdk/jre truststore", e8);
            }
        }
        if (!z) {
            this.logger.warn("unable to load trust store!");
        }
        return keyStore;
    }

    private XMLSignatureFactory initXMLSigFactory() {
        return XMLSignatureFactory.getInstance();
    }

    private Reference initReference(XMLSignatureFactory xMLSignatureFactory) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {
        ArrayList arrayList = new ArrayList();
        arrayList.add(xMLSignatureFactory.newTransform("http://www.w3.org/2000/09/xmldsig#enveloped-signature", (TransformParameterSpec) null));
        String property = this.map.getProperty(SIGNATURE_OPTION_DIGEST_METHOD);
        if (property == null) {
            property = "http://www.w3.org/2000/09/xmldsig#sha1";
        }
        return xMLSignatureFactory.newReference("", xMLSignatureFactory.newDigestMethod(property, (DigestMethodParameterSpec) null), arrayList, (String) null, (String) null);
    }

    private SignedInfo initSignedInfo(XMLSignatureFactory xMLSignatureFactory) throws Exception {
        Reference initReference = initReference(xMLSignatureFactory);
        String property = this.map.getProperty(CANONICALIZATIONMETHOD);
        String property2 = this.map.getProperty(SIGNATURE_METHOD);
        if (property2 == null) {
            property2 = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
        }
        if (property == null) {
            property = "http://www.w3.org/2001/10/xml-exc-c14n#";
        }
        return xMLSignatureFactory.newSignedInfo(xMLSignatureFactory.newCanonicalizationMethod(property, (C14NMethodParameterSpec) null), xMLSignatureFactory.newSignatureMethod(property2, (SignatureMethodParameterSpec) null), Collections.singletonList(initReference));
    }

    private boolean verifySignature(Element element, PublicKey publicKey, AtomicReference<String> atomicReference) {
        if (atomicReference == null) {
            atomicReference = new AtomicReference<>();
        }
        XMLSignatureFactory initXMLSigFactory = initXMLSigFactory();
        NodeList elementsByTagNameNS = element.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
        if (elementsByTagNameNS.getLength() == 0) {
            throw new RuntimeException("Cannot find Signature element");
        }
        DOMValidateContext dOMValidateContext = new DOMValidateContext(publicKey, elementsByTagNameNS.item(0));
        try {
            dOMValidateContext.setProperty("javax.xml.crypto.dsig.cacheReference", Boolean.TRUE);
            XMLSignature unmarshalXMLSignature = initXMLSigFactory.unmarshalXMLSignature(dOMValidateContext);
            boolean validate = unmarshalXMLSignature.validate(dOMValidateContext);
            if (validate) {
                this.logger.info("Signature passed core validation");
            } else {
                this.logger.warn("Signature failed core validation");
                boolean validate2 = unmarshalXMLSignature.getSignatureValue().validate(dOMValidateContext);
                this.logger.debug("signature validation status: " + validate2);
                atomicReference.set("signature validation failed: " + validate2 + DefaultExpressionEngine.DEFAULT_PROPERTY_DELIMITER + atomicReference.get());
                int i = 0;
                for (Reference reference : unmarshalXMLSignature.getSignedInfo().getReferences()) {
                    boolean validate3 = reference.validate(dOMValidateContext);
                    this.logger.debug(Integer.valueOf(i));
                    this.logger.debug("ref[" + i + "] validity status: " + validate3);
                    if (!validate3) {
                        atomicReference.set("signature reference " + i + " invalid. " + atomicReference.get());
                    }
                    this.logger.debug("Ref type: " + reference.getType() + ", URI: " + reference.getURI());
                    Iterator it = reference.getTransforms().iterator();
                    while (it.hasNext()) {
                        this.logger.debug("Transform: " + it.next());
                    }
                    String digestToString = digestToString(reference.getCalculatedDigestValue());
                    String digestToString2 = digestToString(reference.getDigestValue());
                    this.logger.warn("    Calc Digest: " + digestToString);
                    this.logger.warn("Expected Digest: " + digestToString2);
                    if (!digestToString.equalsIgnoreCase(digestToString2)) {
                        atomicReference.set("digest mismatch for signature ref " + i + DefaultExpressionEngine.DEFAULT_PROPERTY_DELIMITER + atomicReference.get());
                    }
                    i++;
                }
            }
            return validate;
        } catch (Exception e) {
            atomicReference.set("signature validation failed: " + e.getMessage() + atomicReference.get());
            this.logger.fatal(e);
            return false;
        }
    }

    private String digestToString(byte[] bArr) {
        StringBuilder sb = new StringBuilder();
        for (byte b : bArr) {
            String hexString = Integer.toHexString(255 & b);
            if (hexString.length() == 1) {
                sb.append('0');
            }
            sb.append(hexString);
        }
        return sb.toString();
    }

    private void signDOM(Node node, PrivateKey privateKey, Certificate certificate) {
        XMLSignatureFactory initXMLSigFactory = initXMLSigFactory();
        X509Certificate x509Certificate = (X509Certificate) certificate;
        KeyInfoFactory keyInfoFactory = initXMLSigFactory.getKeyInfoFactory();
        ArrayList arrayList = new ArrayList();
        if (this.map.containsKey(SIGNATURE_OPTION_CERT_INCLUSION_SUBJECTDN)) {
            ArrayList arrayList2 = new ArrayList();
            arrayList2.add(x509Certificate.getSubjectDN().getName());
            arrayList.add(keyInfoFactory.newX509Data(arrayList2));
        }
        if (this.map.containsKey(SIGNATURE_OPTION_CERT_INCLUSION_BASE64)) {
            ArrayList arrayList3 = new ArrayList();
            arrayList3.add(x509Certificate);
            arrayList.add(keyInfoFactory.newX509Data(arrayList3));
        }
        if (this.map.containsKey(SIGNATURE_OPTION_CERT_INCLUSION_SERIAL)) {
            ArrayList arrayList4 = new ArrayList();
            arrayList4.add(keyInfoFactory.newX509IssuerSerial(x509Certificate.getIssuerX500Principal().getName(), x509Certificate.getSerialNumber()));
            arrayList.add(keyInfoFactory.newX509Data(arrayList4));
        }
        KeyInfo newKeyInfo = keyInfoFactory.newKeyInfo(arrayList);
        DOMSignContext dOMSignContext = new DOMSignContext(privateKey, node);
        dOMSignContext.putNamespacePrefix("http://www.w3.org/2000/09/xmldsig#", "ns2");
        try {
            initXMLSigFactory.newXMLSignature(initSignedInfo(initXMLSigFactory), newKeyInfo).sign(dOMSignContext);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private X509Certificate FindCert(NodeList nodeList) {
        for (int i = 0; i < nodeList.getLength(); i++) {
            try {
                if (nodeList.item(i).getLocalName().equalsIgnoreCase("X509SubjectName")) {
                    return FindCertByDN(new X500Principal(nodeList.item(i).getTextContent().trim()));
                }
                if (nodeList.item(i).getLocalName().equalsIgnoreCase("X509IssuerSerial")) {
                    String str = null;
                    String str2 = null;
                    for (int i2 = 0; i2 < nodeList.item(i).getChildNodes().getLength(); i2++) {
                        if (nodeList.item(i).getChildNodes().item(i).getLocalName().equalsIgnoreCase("X509IssuerName")) {
                            str = nodeList.item(i).getTextContent().trim();
                        }
                        if (nodeList.item(i).getChildNodes().item(i).getLocalName().equalsIgnoreCase("X509SerialNumber")) {
                            str2 = nodeList.item(i).getTextContent().trim();
                        }
                    }
                    if (str != null && str2 != null) {
                        return FindCertByIssuer(str, str2);
                    }
                }
            } catch (Exception e) {
                this.logger.warn("error caught searching for a certificate", e);
                return null;
            }
        }
        return null;
    }

    private X509Certificate FindCertByDN(X500Principal x500Principal) throws Exception {
        KeyStore GetTrustStore = GetTrustStore();
        if (GetTrustStore == null) {
            return null;
        }
        Enumeration<String> aliases = GetTrustStore.aliases();
        while (aliases.hasMoreElements()) {
            X509Certificate x509Certificate = (X509Certificate) GetTrustStore.getCertificate(aliases.nextElement());
            if (x509Certificate.getSubjectX500Principal().equals(x500Principal)) {
                return x509Certificate;
            }
        }
        return null;
    }

    private X509CRL downloadCRLFromWeb(String str) throws MalformedURLException, IOException, CertificateException, CRLException {
        InputStream openStream = new URL(str).openStream();
        try {
            X509CRL x509crl = (X509CRL) this.cf.generateCRL(openStream);
            openStream.close();
            return x509crl;
        } catch (Throwable th) {
            openStream.close();
            throw th;
        }
    }

    private X509Certificate FindCertByIssuer(String str, String str2) throws Exception {
        KeyStore GetTrustStore = GetTrustStore();
        if (GetTrustStore == null) {
            return null;
        }
        Enumeration<String> aliases = GetTrustStore.aliases();
        while (aliases.hasMoreElements()) {
            X509Certificate x509Certificate = (X509Certificate) GetTrustStore.getCertificate(aliases.nextElement());
            if (x509Certificate.getIssuerDN().getName().equals(str) && x509Certificate.getSerialNumber().toString().equalsIgnoreCase(str2)) {
                return x509Certificate;
            }
        }
        return null;
    }
}
