package com.ibm.ws.wssecurity.xml.xss4j.dsig;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.ws.wssecurity.core.SignatureEngine;
import com.ibm.ws.wssecurity.util.WSSObjectUtils;
import com.ibm.ws.wssecurity.util.io.Base64Table;
import com.ibm.ws.wssecurity.util.io.BufferExportableByteArrayOutputStream;
import com.ibm.ws.wssecurity.util.io.ByteArrayHolder;
import com.ibm.ws.wssecurity.wssobject.impl.dsig.Signature;
import com.ibm.ws.wssecurity.wssobject.impl.dsig.SignedInfo;
import com.ibm.ws.wssecurity.wssobject.interfaces.WSSObject;
import com.ibm.ws.wssecurity.wssobject.interfaces.WSSObjectElement;
import com.ibm.ws.wssecurity.wssobject.util.NamespacePrefixPairStack;
import com.ibm.ws.wssecurity.wssobject.util.VariablePartAttributeValue;
import com.ibm.ws.wssecurity.wssobject.util.VariablePartFactory;
import com.ibm.ws.wssecurity.wssobject.util.WSSObjectC14NWriter;
import com.ibm.ws.wssecurity.wssobject.util.constants.Utf8ByteConstantsQNames;
import com.ibm.ws.wssecurity.xml.xss4j.AlgorithmFactory;
import com.ibm.ws.wssecurity.xml.xss4j.domutil.DOMUtil;
import com.ibm.ws.wssecurity.xml.xss4j.dsig.transform.ExclusiveC11r;
import com.ibm.ws.wssecurity.xml.xss4j.dsig.util.Base64;
import com.ibm.ws.wssecurity.xml.xss4j.dsig.util.HWKeyCache;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.PrintWriter;
import java.io.StringWriter;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.InvalidKeySpecException;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Hashtable;
import javax.xml.namespace.QName;
import org.apache.axiom.om.OMDocument;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMNode;
import org.apache.axiom.om.OMText;

/* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/ws/wssecurity/xml/xss4j/dsig/XSignature.class */
public class XSignature {
    static final boolean DEBUG = false;
    public static final String XMLDSIG_NAMESPACE = "http://www.w3.org/2000/09/xmldsig#";
    static final String XMLNS_NS = "http://www.w3.org/2000/xmlns/";
    public static final String TYPE_MANIFEST = "http://www.w3.org/2000/09/xmldsig#Manifest";
    public static final String TYPE_OBJECT = "http://www.w3.org/2000/09/xmldsig#Object";
    public static final String SHA1 = "http://www.w3.org/2000/09/xmldsig#sha1";
    private static final TraceComponent tc = Tr.register(XSignature.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    public static final QName ALGO_Q = new QName("", "Algorithm");
    public static final QName ID_Q = new QName("", "Id");
    public static long signTime = 0;
    public static long canonicalizeTime = 0;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/ws/wssecurity/xml/xss4j/dsig/XSignature$IDResolverWrapper.class */
    public static class IDResolverWrapper implements IDResolver {
        IDResolver next;
        Hashtable hash = null;
        OMDocument doc;

        IDResolverWrapper(OMDocument oMDocument, IDResolver iDResolver) {
            this.doc = oMDocument;
            this.next = iDResolver;
        }

        void registerID(String str, OMElement oMElement) {
            if (this.hash == null) {
                this.hash = new Hashtable();
            }
            this.hash.put(str, oMElement);
        }

        @Override // com.ibm.ws.wssecurity.xml.xss4j.dsig.IDResolver
        public OMElement resolveID(OMDocument oMDocument, String str) {
            OMElement oMElement;
            if (oMDocument == this.doc && this.hash != null && (oMElement = (OMElement) this.hash.get(str)) != null) {
                return oMElement;
            }
            if (this.next == null) {
                return null;
            }
            return this.next.resolveID(oMDocument, str);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/ws/wssecurity/xml/xss4j/dsig/XSignature$Verifier.class */
    public interface Verifier {
        void addReferenceValidity(ReferenceValidity referenceValidity);

        void setSignedInfoMessage(String str);

        void setSignedInfoValidity(boolean z);
    }

    private XSignature() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static final OMElement getFirstChild(OMNode oMNode, String str) {
        return DOMUtil.getFirstChildElementNamed(oMNode, "http://www.w3.org/2000/09/xmldsig#", str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static final boolean isDsigElement(OMElement oMElement) {
        String name = oMElement.getNamespace() == null ? null : oMElement.getNamespace().getName();
        if (name == null) {
            return false;
        }
        return name.equals("http://www.w3.org/2000/09/xmldsig#");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static final boolean isDsigElement(OMElement oMElement, String str) {
        String name = oMElement.getNamespace() == null ? null : oMElement.getNamespace().getName();
        return name != null && name.equals("http://www.w3.org/2000/09/xmldsig#") && oMElement.getLocalName().equals(str);
    }

    static byte[] getSignedInfoOctets(SignatureContext signatureContext, OMElement oMElement) throws SignatureStructureException, NoSuchAlgorithmException, IOException {
        OMElement firstChild = getFirstChild(oMElement, "CanonicalizationMethod");
        if (firstChild == null) {
            throw new SignatureStructureException("No CanonicalizationMethod element.  This implementation always requires a CanonicalizationMethod.");
        }
        String attributeValue = firstChild.getAttributeValue(ALGO_Q);
        if (attributeValue == null || attributeValue.length() == 0) {
            throw new SignatureStructureException("No Algorithm attribute in the CanonicalizationMethod element.");
        }
        Canonicalizer canonicalizer = signatureContext.getAlgorithmFactory().getCanonicalizer(attributeValue);
        if (canonicalizer == null) {
            throw new NoSuchAlgorithmException("No canonicalization algorithm: " + attributeValue);
        }
        canonicalizer.setParameter(DOMUtil.getFirstChildElement(firstChild));
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        long currentTimeMillis = System.currentTimeMillis();
        canonicalizer.canonicalize(oMElement, byteArrayOutputStream);
        canonicalizeTime += System.currentTimeMillis() - currentTimeMillis;
        byteArrayOutputStream.close();
        byte[] byteArray = byteArrayOutputStream.toByteArray();
        if (signatureContext.getResourceShower() != null) {
            signatureContext.getResourceShower().showSignedResource(signatureContext.getOwnerElement(), -1, "_SignedInfo_", null, byteArray, null);
        }
        return byteArray;
    }

    static ByteArrayHolder getSignedInfoOctets(SignatureContext signatureContext, SignedInfo signedInfo) throws SignatureStructureException, NoSuchAlgorithmException, IOException {
        WSSObjectElement child = WSSObjectUtils.getChild(signedInfo, Utf8ByteConstantsQNames.DSIG.QN_CANONICALIZATION_METHOD);
        if (child == null) {
            throw new SignatureStructureException("No CanonicalizationMethod element.  This implementation always requires a CanonicalizationMethod.");
        }
        WSSObjectElement child2 = WSSObjectUtils.getChild(child, Utf8ByteConstantsQNames.XC14N.QN_NCLUSIVE_NAMESPACES);
        String str = null;
        if (child2 != null) {
            str = ExclusiveC11r.getPrefixList(child2);
        }
        HashSet<String> hashSet = (str == null || str.isEmpty()) ? new HashSet<>() : ExclusiveC11r.parsePrefixList(str);
        BufferExportableByteArrayOutputStream bufferExportableByteArrayOutputStream = new BufferExportableByteArrayOutputStream(2048);
        WSSObjectC14NWriter wSSObjectC14NWriter = new WSSObjectC14NWriter(bufferExportableByteArrayOutputStream);
        signedInfo.canonicalize(wSSObjectC14NWriter, new NamespacePrefixPairStack(), hashSet, true);
        wSSObjectC14NWriter.flush();
        bufferExportableByteArrayOutputStream.flush();
        bufferExportableByteArrayOutputStream.close();
        ByteArrayHolder byteArrayHolder = bufferExportableByteArrayOutputStream.getByteArrayHolder();
        if (signatureContext.getResourceShower() != null) {
            signatureContext.getResourceShower().showSignedResource(signatureContext.getOwnerElement(), -1, "_SignedInfo_", null, byteArrayHolder.getValue(), byteArrayHolder.getOffset(), byteArrayHolder.getLength(), null);
        }
        return byteArrayHolder;
    }

    static SignatureEngine getSignatureEngine(OMElement oMElement, AlgorithmFactory algorithmFactory) throws SignatureStructureException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, NoSuchProviderException {
        OMElement firstChild = getFirstChild(oMElement, "SignatureMethod");
        if (firstChild == null) {
            throw new SignatureStructureException("No SignatureMethod element.");
        }
        String attributeValue = firstChild.getAttributeValue(ALGO_Q);
        if (attributeValue == null || attributeValue.length() == 0) {
            throw new SignatureStructureException("No Algorithm attribute in the SignatureMethod element.");
        }
        AlgorithmParameterSpec unmarshalParameter = algorithmFactory.unmarshalParameter(attributeValue, firstChild);
        SignatureEngine signatureEngine = algorithmFactory.getSignatureEngine(attributeValue);
        signatureEngine.setParameter(unmarshalParameter);
        return signatureEngine;
    }

    static SignatureEngine getSignatureEngine(SignedInfo signedInfo, AlgorithmFactory algorithmFactory) throws SignatureStructureException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, NoSuchProviderException {
        com.ibm.ws.wssecurity.wssobject.impl.dsig.SignatureMethod signatureMethod = signedInfo.getSignatureMethod();
        if (signatureMethod == null) {
            throw new SignatureStructureException("No SignatureMethod element.");
        }
        VariablePartAttributeValue algorithm = signatureMethod.getAlgorithm();
        String str = null;
        if (algorithm != null) {
            str = algorithm.toString();
        }
        if (str == null || str.length() == 0) {
            throw new SignatureStructureException("No Algorithm attribute in the SignatureMethod element.");
        }
        AlgorithmParameterSpec unmarshalParameter = algorithmFactory.unmarshalParameter(str, signatureMethod);
        SignatureEngine signatureEngine = algorithmFactory.getSignatureEngine(str);
        signatureEngine.setParameter(unmarshalParameter);
        return signatureEngine;
    }

    public static void resetDigestTime() {
        ReferenceProcessor.digestTime = 0L;
    }

    public static long getDigestTime() {
        return ReferenceProcessor.digestTime;
    }

    static void calculateSignatureValue(OMElement oMElement, SignatureEngine signatureEngine, Key key, byte[] bArr) throws SignatureStructureException, InvalidKeyException, SignatureException {
        long currentTimeMillis = System.currentTimeMillis();
        signatureEngine.initSign(key);
        signatureEngine.update(bArr);
        byte[] sign = signatureEngine.sign();
        signTime += System.currentTimeMillis() - currentTimeMillis;
        OMElement firstChild = getFirstChild(oMElement, "SignatureValue");
        if (firstChild == null) {
            throw new SignatureStructureException("No SignatureValue element.");
        }
        DOMUtil.removeAllChildren(firstChild);
        String encode = Base64.encode(sign);
        OMText previousOMSibling = firstChild.getPreviousOMSibling();
        if (previousOMSibling != null && previousOMSibling.getType() == 4) {
            StringBuffer stringBuffer = new StringBuffer();
            int length = (previousOMSibling.getText().length() - 1) * 2;
            stringBuffer.append(Base64.format(encode, length, "\n", ""));
            for (int i = 0; i < length / 2; i++) {
                stringBuffer.append(" ");
            }
            encode = new String(stringBuffer);
        }
        DOMUtil.appendText(firstChild, encode);
    }

    static void calculateSignatureValue(Signature signature, SignatureEngine signatureEngine, Key key, ByteArrayHolder byteArrayHolder) throws SignatureStructureException, InvalidKeyException, SignatureException {
        signatureEngine.initSign(key);
        signatureEngine.update(byteArrayHolder.getValue(), byteArrayHolder.getOffset(), byteArrayHolder.getLength());
        byte[] sign = signatureEngine.sign();
        signature.setSignatureValue(VariablePartFactory.getInstance().createTextValueWithAsciiByteWithoutCharRef(Base64Table.encode(sign, 0, sign.length)));
    }

    static boolean verifySignatureValue(OMElement oMElement, SignatureEngine signatureEngine, Key key, byte[] bArr) throws SignatureStructureException, InvalidKeyException, SignatureException {
        OMElement firstChild = getFirstChild(oMElement, "SignatureValue");
        if (firstChild == null) {
            throw new SignatureStructureException("No SignatureValue element.");
        }
        byte[] decode = Base64.decode(DOMUtil.getStringValue(firstChild));
        signatureEngine.initVerify(key);
        signatureEngine.update(bArr);
        return signatureEngine.verify(decode);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static OMElement internalSign(SignatureContext signatureContext, Key key) throws SignatureStructureException, NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException, InvalidKeyException, SignatureException, TransformException, IOException {
        String attributeValue;
        OMElement signatureElement = signatureContext.getSignatureElement();
        if (signatureContext.getUseInternalIDResolver()) {
            IDResolverWrapper iDResolverWrapper = new IDResolverWrapper(DOMUtil.getOwnerDocument(signatureElement), signatureContext.getIDResolver());
            OMNode firstChild2 = DOMUtil.getFirstChild2(signatureElement);
            while (true) {
                OMNode oMNode = firstChild2;
                if (oMNode == null) {
                    break;
                }
                if (oMNode.getType() == 1) {
                    OMElement oMElement = (OMElement) oMNode;
                    if (isDsigElement(oMElement) && isDsigElement(oMElement, "Object") && (attributeValue = oMElement.getAttributeValue(ID_Q)) != null && attributeValue.length() != 0) {
                        iDResolverWrapper.registerID(attributeValue, oMElement);
                    }
                }
                firstChild2 = DOMUtil.getNextSibling2(oMNode);
            }
            signatureContext.setWrappedIDResolver(iDResolverWrapper);
        }
        OMElement firstChildElement = DOMUtil.getFirstChildElement(signatureElement);
        if (firstChildElement == null) {
            throw new SignatureStructureException("No SignedInfo element.");
        }
        int i = 0;
        OMElement firstChild = getFirstChild(firstChildElement, "Reference");
        while (true) {
            OMElement oMElement2 = firstChild;
            if (oMElement2 == null) {
                byte[] signedInfoOctets = getSignedInfoOctets(signatureContext, firstChildElement);
                if (key != null) {
                    AlgorithmFactory algorithmFactory = signatureContext.getAlgorithmFactory();
                    SignatureEngine signatureEngine = getSignatureEngine(firstChildElement, algorithmFactory);
                    try {
                        calculateSignatureValue(signatureElement, signatureEngine, key, signedInfoOctets);
                    } catch (OutOfMemoryError e) {
                        if (!signatureContext.isHWAccelerationProvider()) {
                            throw e;
                        }
                        HWKeyCache.setCapacityReached();
                        calculateSignatureValue(signatureElement, signatureEngine, key, signedInfoOctets);
                    }
                    algorithmFactory.releaseSignatureEngine(signatureEngine);
                }
                return signatureElement;
            }
            if (!isDsigElement(oMElement2, "Reference")) {
                throw new SignatureStructureException("A Reference element is expected: " + oMElement2.getLocalName());
            }
            int i2 = i;
            i++;
            ReferenceProcessor.substDigest(signatureContext, oMElement2, i2);
            firstChild = DOMUtil.getNextElement(oMElement2);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Signature internalWSSObjectSign(SignatureContext signatureContext, Key key) throws SignatureStructureException, NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException, InvalidKeyException, SignatureException, TransformException, IOException {
        Signature signatureWSSObject = signatureContext.getSignatureWSSObject();
        SignedInfo signedInfo = signatureWSSObject.signedInfo;
        if (signedInfo == null) {
            throw new SignatureStructureException("No SignedInfo element.");
        }
        int i = 0;
        ArrayList<WSSObject> children = signedInfo.getChildren();
        if (children != null && children.size() > 0) {
            for (int i2 = 0; i2 < children.size(); i2++) {
                WSSObject wSSObject = children.get(i2);
                if (wSSObject instanceof com.ibm.ws.wssecurity.wssobject.impl.dsig.Reference) {
                    int i3 = i;
                    i++;
                    ReferenceProcessor.substDigest(signatureContext, (com.ibm.ws.wssecurity.wssobject.impl.dsig.Reference) wSSObject, i3);
                }
            }
        }
        ByteArrayHolder signedInfoOctets = getSignedInfoOctets(signatureContext, signedInfo);
        if (key != null) {
            AlgorithmFactory algorithmFactory = signatureContext.getAlgorithmFactory();
            SignatureEngine signatureEngine = getSignatureEngine(signedInfo, algorithmFactory);
            try {
                calculateSignatureValue(signatureWSSObject, signatureEngine, key, signedInfoOctets);
            } catch (OutOfMemoryError e) {
                if (!signatureContext.isHWAccelerationProvider()) {
                    throw e;
                }
                HWKeyCache.setCapacityReached();
                calculateSignatureValue(signatureWSSObject, signatureEngine, key, signedInfoOctets);
            }
            algorithmFactory.releaseSignatureEngine(signatureEngine);
        }
        return signatureWSSObject;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Validity internalVerify(SignatureContext signatureContext, Key key) {
        PublicKey publicKey;
        String attributeValue;
        IDResolverWrapper iDResolverWrapper = signatureContext.getUseInternalIDResolver() ? new IDResolverWrapper(DOMUtil.getOwnerDocument(signatureContext.getSignatureElement()), signatureContext.getIDResolver()) : null;
        ValidityDOM validityDOM = new ValidityDOM();
        try {
            for (OMNode firstChild2 = DOMUtil.getFirstChild2(r0); firstChild2 != null; firstChild2 = DOMUtil.getNextSibling2(firstChild2)) {
                if (firstChild2.getType() == 1) {
                    OMElement oMElement = (OMElement) firstChild2;
                    if (isDsigElement(oMElement)) {
                        if (isDsigElement(oMElement, "KeyInfo")) {
                            if (key == null) {
                                key = ProcessKey.processKeyInfo(signatureContext, oMElement);
                            }
                        } else if (isDsigElement(oMElement, "Object") && iDResolverWrapper != null && (attributeValue = oMElement.getAttributeValue(ID_Q)) != null && attributeValue.length() != 0) {
                            iDResolverWrapper.registerID(attributeValue, oMElement);
                        }
                    }
                }
            }
        } catch (SignatureStructureException e) {
            validityDOM.setSignedInfoMessage(e.getMessage());
        } catch (TransformException e2) {
            validityDOM.setSignedInfoMessage(e2.getMessage());
        } catch (IOException e3) {
            validityDOM.setSignedInfoMessage(e3.getMessage());
        } catch (NoSuchAlgorithmException e4) {
            validityDOM.setSignedInfoMessage(e4.getMessage());
        } catch (CertificateException e5) {
            validityDOM.setSignedInfoMessage(e5.getMessage());
        } catch (InvalidKeySpecException e6) {
            validityDOM.setSignedInfoMessage(e6.getMessage());
        } catch (Exception e7) {
            validityDOM.setSignedInfoMessage(e7.getMessage());
        }
        if (key == null) {
            throw new SignatureStructureException("No KeyInfo element.");
        }
        if (signatureContext.isHWAccelerationProvider() && (publicKey = (PublicKey) HWKeyCache.getInstance().translate(key)) != null) {
            key = publicKey;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Key translated by HWCache");
            }
        }
        signatureContext.setWrappedIDResolver(iDResolverWrapper);
        verify2(signatureContext, validityDOM, key);
        validityDOM.setCoreValidity();
        return validityDOM;
    }

    private static void verify2(SignatureContext signatureContext, Verifier verifier, Key key) {
        OMElement signatureElement;
        OMElement firstChildElement;
        boolean z = false;
        try {
            signatureElement = signatureContext.getSignatureElement();
            firstChildElement = DOMUtil.getFirstChildElement(signatureElement);
        } catch (Exception e) {
            StringWriter stringWriter = new StringWriter();
            PrintWriter printWriter = new PrintWriter(stringWriter);
            e.printStackTrace(printWriter);
            printWriter.close();
            verifier.setSignedInfoMessage(stringWriter.toString());
        }
        if (firstChildElement == null) {
            throw new SignatureStructureException("No SignedInfo element.");
        }
        int i = 0;
        for (OMElement firstChild = getFirstChild(firstChildElement, "Reference"); firstChild != null; firstChild = DOMUtil.getNextElement(firstChild)) {
            if (!isDsigElement(firstChild, "Reference")) {
                throw new SignatureStructureException("A Reference element is expected: " + firstChild.getQName());
            }
            int i2 = i;
            i++;
            verifier.addReferenceValidity(ReferenceProcessor.verify(signatureContext, firstChild, i2));
        }
        AlgorithmFactory algorithmFactory = signatureContext.getAlgorithmFactory();
        byte[] signedInfoOctets = getSignedInfoOctets(signatureContext, firstChildElement);
        SignatureEngine signatureEngine = getSignatureEngine(firstChildElement, algorithmFactory);
        try {
            z = verifySignatureValue(signatureElement, signatureEngine, key, signedInfoOctets);
        } catch (OutOfMemoryError e2) {
            if (!signatureContext.isHWAccelerationProvider()) {
                throw e2;
            }
            HWKeyCache.setCapacityReached();
            z = verifySignatureValue(signatureElement, signatureEngine, key, getSignedInfoOctets(signatureContext, firstChildElement));
        }
        algorithmFactory.releaseSignatureEngine(signatureEngine);
        if (!z) {
            verifier.setSignedInfoMessage("SignatureValue mismatched.");
        }
        verifier.setSignedInfoValidity(z);
    }
}
