package net.shibboleth.metadata.dom;

import com.google.common.collect.ImmutableSet;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.annotation.concurrent.ThreadSafe;
import net.shibboleth.metadata.ErrorStatus;
import net.shibboleth.metadata.Item;
import net.shibboleth.metadata.WarningStatus;
import net.shibboleth.metadata.dom.XMLSignatureValidator;
import net.shibboleth.metadata.pipeline.BaseIteratingStage;
import net.shibboleth.metadata.pipeline.StageProcessingException;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.xml.SerializeSupport;
import org.apache.xml.security.Init;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;

@ThreadSafe
/* loaded from: input_file:net/shibboleth/metadata/dom/XMLSignatureValidationStage.class */
public class XMLSignatureValidationStage extends BaseIteratingStage<Element> {
    private Certificate verificationCertificate;
    private PublicKey verificationKey;
    private XMLSignatureValidator validator;
    private final Logger log = LoggerFactory.getLogger(XMLSignatureValidationStage.class);
    private boolean signatureRequired = true;
    private boolean validSignatureRequired = true;

    @Nonnull
    private Set<String> blacklistedDigests = Collections.emptySet();

    @Nonnull
    private Set<String> blacklistedSignatureMethods = Collections.emptySet();
    private boolean permittingEmptyReferences = true;

    public boolean isSignatureRequired() {
        return this.signatureRequired;
    }

    public synchronized void setSignatureRequired(boolean z) {
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.signatureRequired = z;
    }

    public boolean isValidSignatureRequired() {
        return this.validSignatureRequired;
    }

    public synchronized void setValidSignatureRequired(boolean z) {
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.validSignatureRequired = z;
    }

    @Nullable
    public PublicKey getVerificationKey() {
        return this.verificationKey;
    }

    public synchronized void setVerificationKey(@Nonnull PublicKey publicKey) {
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.verificationKey = (PublicKey) Constraint.isNotNull(publicKey, "Public key can not be null");
    }

    @Nullable
    public Certificate getVerificationCertificate() {
        return this.verificationCertificate;
    }

    public synchronized void setVerificationCertificate(@Nonnull Certificate certificate) {
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.verificationCertificate = (Certificate) Constraint.isNotNull(certificate, "Certificate can not be null");
        this.verificationKey = this.verificationCertificate.getPublicKey();
    }

    public void setBlacklistedDigests(@NonnullElements @Nonnull Collection<String> collection) {
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.blacklistedDigests = ImmutableSet.copyOf((Collection) Constraint.isNotNull(collection, "identifier collection may not be null"));
    }

    @NonnullElements
    @Nonnull
    public Set<String> getBlacklistedDigests() {
        return Collections.unmodifiableSet(this.blacklistedDigests);
    }

    public void setBlacklistedSignatureMethods(@NonnullElements @Nonnull Collection<String> collection) {
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.blacklistedSignatureMethods = ImmutableSet.copyOf((Collection) Constraint.isNotNull(collection, "identifier collection may not be null"));
    }

    @NonnullElements
    @Nonnull
    public Set<String> getBlacklistedSignatureMethods() {
        return Collections.unmodifiableSet(this.blacklistedSignatureMethods);
    }

    public boolean isPermittingEmptyReferences() {
        return this.permittingEmptyReferences;
    }

    public synchronized void setPermittingEmptyReferences(boolean z) {
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.permittingEmptyReferences = z;
    }

    @Override // net.shibboleth.metadata.pipeline.BaseIteratingStage
    protected boolean doExecute(@Nonnull Item<Element> item) throws StageProcessingException {
        Element unwrap = item.unwrap();
        try {
            Element signatureElement = this.validator.getSignatureElement(unwrap);
            if (signatureElement == null) {
                if (!this.signatureRequired) {
                    this.log.debug("DOM Element is not signed, no verification performed");
                    return true;
                }
                this.log.debug("DOM Element was not signed and signature is required");
                item.getItemMetadata().put(new ErrorStatus(getId(), "DOM Element was not signed but signatures are required"));
                return true;
            }
            if (this.log.isDebugEnabled()) {
                this.log.debug("DOM Element contained Signature element\n{}", SerializeSupport.prettyPrintXML(signatureElement));
            }
            try {
                this.validator.verifySignature(unwrap, signatureElement);
                return true;
            } catch (XMLSignatureValidator.ValidationException e) {
                String str = "element signature is invalid: " + e.getMessage();
                this.log.debug("setting status: ", str);
                if (this.validSignatureRequired) {
                    item.getItemMetadata().put(new ErrorStatus(getId(), str));
                    return true;
                }
                item.getItemMetadata().put(new WarningStatus(getId(), str));
                return true;
            }
        } catch (XMLSignatureValidator.ValidationException e2) {
            this.log.debug("setting status: ", e2.getMessage());
            item.getItemMetadata().put(new ErrorStatus(getId(), e2.getMessage()));
            return true;
        }
    }

    protected void doDestroy() {
        this.verificationCertificate = null;
        this.verificationKey = null;
        this.validator = null;
        this.blacklistedDigests = null;
        this.blacklistedSignatureMethods = null;
        super.doDestroy();
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.verificationKey == null) {
            throw new ComponentInitializationException("Unable to initialize " + getId() + ", no verification key was specified");
        }
        this.validator = new XMLSignatureValidator(this.verificationKey, this.blacklistedDigests, this.blacklistedSignatureMethods, this.permittingEmptyReferences);
        if (Init.isInitialized()) {
            return;
        }
        Init.init();
    }
}
