package net.shibboleth.metadata.dom;

import com.google.common.base.Strings;
import java.security.PublicKey;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.utilities.java.support.codec.Base64Support;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.xml.AttributeSupport;
import net.shibboleth.utilities.java.support.xml.ElementSupport;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.signature.Reference;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.signature.XMLSignatureException;
import org.apache.xml.security.signature.reference.ReferenceSubTreeData;
import org.apache.xml.security.transforms.TransformationException;
import org.apache.xml.security.transforms.Transforms;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Attr;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
import org.w3c.dom.Node;

/* loaded from: input_file:net/shibboleth/metadata/dom/XMLSignatureValidator.class */
final class XMLSignatureValidator {
    private final Logger log = LoggerFactory.getLogger(XMLSignatureValidator.class);
    private final PublicKey verificationKey;
    private final Set<String> blacklistedDigests;
    private final Set<String> blacklistedSignatureMethods;
    private final boolean emptyReferencePermitted;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:net/shibboleth/metadata/dom/XMLSignatureValidator$ValidationException.class */
    public static class ValidationException extends Exception {
        private static final long serialVersionUID = -6649552572123849961L;

        public ValidationException() {
        }

        public ValidationException(@Nullable String str) {
            super(str);
        }

        public ValidationException(@Nullable Exception exc) {
            super(exc);
        }

        public ValidationException(@Nullable String str, @Nullable Exception exc) {
            super(str, exc);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public XMLSignatureValidator(@Nonnull PublicKey publicKey, @Nullable Set<String> set, @Nullable Set<String> set2, boolean z) {
        Constraint.isNotNull(publicKey, "public key can not be null");
        this.verificationKey = publicKey;
        if (set != null) {
            this.blacklistedDigests = new HashSet(set);
        } else {
            this.blacklistedDigests = Collections.emptySet();
        }
        if (set2 != null) {
            this.blacklistedSignatureMethods = new HashSet(set2);
        } else {
            this.blacklistedSignatureMethods = Collections.emptySet();
        }
        this.emptyReferencePermitted = z;
    }

    private void markIdAttribute(@Nonnull Element element, @Nonnull Reference reference) throws ValidationException {
        if (!$assertionsDisabled && element == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && reference == null) {
            throw new AssertionError();
        }
        String uri = reference.getURI();
        if (Strings.isNullOrEmpty(uri)) {
            this.log.debug("reference was empty; no ID marking required");
            return;
        }
        if (AttributeSupport.getIdAttribute(element) != null) {
            this.log.debug("document element already has an ID attribute");
            return;
        }
        if (!uri.startsWith("#")) {
            throw new ValidationException("Signature Reference URI was not a document fragment reference: " + uri);
        }
        String substring = uri.substring(1);
        NamedNodeMap attributes = element.getAttributes();
        for (int i = 0; i < attributes.getLength(); i++) {
            Attr attr = (Attr) attributes.item(i);
            if (substring.equals(attr.getValue())) {
                this.log.debug("marking ID attribute {}", attr.getName());
                element.setIdAttributeNode(attr, true);
                return;
            }
        }
        this.log.debug("did not find a document element attribute with value '{}'", substring);
    }

    public void verifySignature(@Nonnull Element element, @Nonnull Element element2) throws ValidationException {
        if (!$assertionsDisabled && element == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && element2 == null) {
            throw new AssertionError();
        }
        this.log.debug("Creating XML security library XMLSignature object");
        try {
            XMLSignature xMLSignature = new XMLSignature(element2, "");
            if (xMLSignature.getObjectLength() != 0) {
                throw new ValidationException("Signature contained an Object element, this is not allowed");
            }
            Reference extractReference = extractReference(xMLSignature);
            markIdAttribute(element, extractReference);
            try {
                String algorithmURI = extractReference.getMessageDigestAlgorithm().getAlgorithmURI();
                this.log.debug("blacklist checking digest {}", algorithmURI);
                if (this.blacklistedDigests.contains(algorithmURI)) {
                    this.log.error("Digest algorithm {} is blacklisted", algorithmURI);
                    throw new ValidationException("Digest algorithm " + algorithmURI + " is blacklisted");
                }
                String signatureMethodURI = xMLSignature.getSignedInfo().getSignatureMethodURI();
                this.log.debug("blacklist checking signature method {}", signatureMethodURI);
                if (this.blacklistedSignatureMethods.contains(signatureMethodURI)) {
                    throw new ValidationException("Signature algorithm " + signatureMethodURI + " is blacklisted");
                }
                this.log.debug("Verifying XML signature with key\n{}", Base64Support.encode(this.verificationKey.getEncoded(), false));
                try {
                    if (!xMLSignature.checkSignatureValue(this.verificationKey)) {
                        throw new ValidationException("XML document signature verification failed");
                    }
                    validateSignatureReference(element, extractReference(xMLSignature));
                    this.log.debug("XML document signature verified.");
                } catch (XMLSignatureException e) {
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("Unable to validate signature", e);
                    }
                    throw new ValidationException("XML document signature verification failed with an error: " + e.getMessage());
                }
            } catch (XMLSignatureException e2) {
                throw new ValidationException("unable to retrieve signature digest algorithm");
            }
        } catch (XMLSecurityException e3) {
            throw new ValidationException("Unable to read XML signature", e3);
        }
    }

    private Reference extractReference(@Nonnull XMLSignature xMLSignature) throws ValidationException {
        int length = xMLSignature.getSignedInfo().getLength();
        if (length != 1) {
            throw new ValidationException("Signature SignedInfo had invalid number of References: " + length);
        }
        try {
            Reference item = xMLSignature.getSignedInfo().item(0);
            if (item == null) {
                throw new ValidationException("Signature Reference was null");
            }
            if (this.emptyReferencePermitted || !Strings.isNullOrEmpty(item.getURI())) {
                return item;
            }
            throw new ValidationException("empty references are not permitted");
        } catch (XMLSecurityException e) {
            throw new ValidationException("Apache XML Security exception obtaining Reference: " + e.getMessage());
        }
    }

    private void validateSignatureReference(@Nonnull Element element, @Nonnull Reference reference) throws ValidationException {
        validateSignatureReferenceUri(element, reference);
        validateSignatureTransforms(reference);
    }

    private void validateSignatureReferenceUri(@Nonnull Element element, @Nonnull Reference reference) throws ValidationException {
        ReferenceSubTreeData referenceData = reference.getReferenceData();
        if (!(referenceData instanceof ReferenceSubTreeData)) {
            throw new ValidationException("Signature Reference URI did not resolve to a subtree");
        }
        Node root = referenceData.getRoot();
        Node node = root;
        if (root.getNodeType() == 9) {
            node = ((Document) root).getDocumentElement();
        }
        if (!element.isSameNode(node)) {
            throw new ValidationException("Signature Reference URI \"" + reference.getURI() + "\" was resolved to a node other than the document element");
        }
    }

    private void validateSignatureTransforms(@Nonnull Reference reference) throws ValidationException {
        try {
            Transforms transforms = reference.getTransforms();
            if (transforms == null) {
                throw new ValidationException("Error obtaining Transforms instance, null was returned");
            }
            int length = transforms.getLength();
            if (length > 2) {
                throw new ValidationException("Invalid number of Transforms was present: " + length);
            }
            boolean z = false;
            for (int i = 0; i < length; i++) {
                try {
                    String uri = transforms.item(i).getURI();
                    if (XMLSignatureSigningStage.TRANSFORM_ENVELOPED_SIGNATURE.equals(uri)) {
                        this.log.debug("Saw Enveloped signature transform");
                        z = true;
                    } else {
                        if (!XMLSignatureSigningStage.ALGO_ID_C14N_EXCL_OMIT_COMMENTS.equals(uri) && !XMLSignatureSigningStage.ALGO_ID_C14N_EXCL_WITH_COMMENTS.equals(uri)) {
                            throw new ValidationException("Saw invalid signature transform: " + uri);
                        }
                        this.log.debug("Saw Exclusive C14N signature transform");
                    }
                } catch (TransformationException e) {
                    throw new ValidationException("Error obtaining transform instance: " + e.getMessage());
                }
            }
            if (!z) {
                throw new ValidationException("Signature was missing the required Enveloped signature transform");
            }
        } catch (XMLSecurityException e2) {
            throw new ValidationException("Apache XML Security error obtaining Transforms instance: " + e2.getMessage());
        }
    }

    @Nullable
    public Element getSignatureElement(@Nonnull Element element) throws ValidationException {
        List childElementsByTagNameNS = ElementSupport.getChildElementsByTagNameNS(element, XMLSignatureSigningStage.XML_SIG_NS_URI, "Signature");
        if (childElementsByTagNameNS.isEmpty()) {
            return null;
        }
        if (childElementsByTagNameNS.size() > 1) {
            throw new ValidationException("XML document contained more than one signature, unable to process");
        }
        return (Element) childElementsByTagNameNS.get(0);
    }

    static {
        $assertionsDisabled = !XMLSignatureValidator.class.desiredAssertionStatus();
    }
}
