package net.shibboleth.metadata.dom;

import java.security.PublicKey;
import java.security.cert.Certificate;
import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.annotation.concurrent.ThreadSafe;
import net.shibboleth.metadata.ErrorStatus;
import net.shibboleth.metadata.WarningStatus;
import net.shibboleth.metadata.pipeline.BaseIteratingStage;
import net.shibboleth.metadata.pipeline.StageProcessingException;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.xml.ElementSupport;
import net.shibboleth.utilities.java.support.xml.SerializeSupport;
import org.apache.xml.security.Init;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.signature.XMLSignatureException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;

@ThreadSafe
/* loaded from: input_file:net/shibboleth/metadata/dom/XMLSignatureValidationStage.class */
public class XMLSignatureValidationStage extends BaseIteratingStage<DomElementItem> {
    private final Logger log = LoggerFactory.getLogger(XMLSignatureValidationStage.class);
    private boolean signatureRequired = true;
    private boolean validSignatureRequired = true;
    private Certificate verificationCertificate;
    private PublicKey verificationKey;

    public boolean isSignatureRequired() {
        return this.signatureRequired;
    }

    public synchronized void setSignatureRequired(boolean z) {
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.signatureRequired = z;
    }

    public boolean isValidSignatureRequired() {
        return this.validSignatureRequired;
    }

    public synchronized void setValidSignatureRequired(boolean z) {
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.validSignatureRequired = z;
    }

    @Nullable
    public PublicKey getVerificationKey() {
        return this.verificationKey;
    }

    public synchronized void setVerificationKey(@Nonnull PublicKey publicKey) {
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.verificationKey = (PublicKey) Constraint.isNotNull(publicKey, "Public key can not be null");
    }

    @Nullable
    public Certificate getVerificationCertificate() {
        return this.verificationCertificate;
    }

    public synchronized void setVerificationCertificate(@Nonnull Certificate certificate) {
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.verificationCertificate = (Certificate) Constraint.isNotNull(certificate, "Certificate can not be null");
        this.verificationKey = this.verificationCertificate.getPublicKey();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.metadata.pipeline.BaseIteratingStage
    public boolean doExecute(@Nonnull DomElementItem domElementItem) throws StageProcessingException {
        Element signatureElement = getSignatureElement(domElementItem.unwrap());
        if (signatureElement == null) {
            if (!this.signatureRequired) {
                this.log.debug("DOM Element is not signed, no verification performed");
                return true;
            }
            this.log.debug("DOM Element was not signed and signature is required");
            domElementItem.getItemMetadata().put(new ErrorStatus(getId(), "DOM Element was not signed but signatures are required"));
            return true;
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("DOM Element contained Signature element\n{}", SerializeSupport.prettyPrintXML(signatureElement));
        }
        if (signatureVerified(signatureElement)) {
            return true;
        }
        if (this.validSignatureRequired) {
            domElementItem.getItemMetadata().put(new ErrorStatus(getId(), "element signature is invalid"));
            return true;
        }
        domElementItem.getItemMetadata().put(new WarningStatus(getId(), "element signature is invalid"));
        return true;
    }

    protected boolean signatureVerified(@Nonnull Element element) throws StageProcessingException {
        this.log.debug("Creating XML security library XMLSignature object");
        try {
            try {
                if (new XMLSignature(element, "").checkSignatureValue(this.verificationKey)) {
                    this.log.debug("DOM Element signature verified.");
                    return true;
                }
                this.log.debug("DOM Element signature did not verify.");
                return false;
            } catch (XMLSignatureException e) {
                if (!this.log.isDebugEnabled()) {
                    return false;
                }
                this.log.debug("Unable to validate signature", e);
                return false;
            }
        } catch (XMLSecurityException e2) {
            this.log.debug("Unable to read XML signature", e2);
            return false;
        }
    }

    protected Element getSignatureElement(@Nonnull Element element) throws StageProcessingException {
        List childElementsByTagNameNS = ElementSupport.getChildElementsByTagNameNS(element, XMLSignatureSigningStage.XML_SIG_NS_URI, "Signature");
        if (childElementsByTagNameNS.isEmpty()) {
            return null;
        }
        if (childElementsByTagNameNS.size() > 1) {
            throw new StageProcessingException("DOM Element contained more than one signature");
        }
        return (Element) childElementsByTagNameNS.get(0);
    }

    protected void doDestroy() {
        this.verificationCertificate = null;
        this.verificationKey = null;
        super.doDestroy();
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.verificationKey == null) {
            throw new ComponentInitializationException("Unable to initialize " + getId() + ", no verification key was specified");
        }
        if (Init.isInitialized()) {
            return;
        }
        Init.init();
    }
}
