package com.ibm.ws.config.internal.xml.validator;

import com.ibm.etools.wdt.server.core.WDTConstants;
import com.ibm.websphere.config.ConfigValidationException;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.InjectedTrace;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.config.internal.ConfigConstants;
import com.ibm.ws.config.internal.xml.ConfigElement;
import com.ibm.ws.config.internal.xml.Configuration;
import com.ibm.ws.ffdc.FFDCFilter;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.security.PublicKey;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.XMLStructure;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.X509Data;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;
import org.w3c.dom.NodeList;
import org.xml.sax.SAXException;

@TraceOptions(traceGroups = {"config"}, traceGroup = "", messageBundle = ConfigConstants.NLS_PROPS, traceExceptionThrow = false, traceExceptionHandling = false)
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:resources/server_runtime/lib/com.ibm.ws.config_1.0.3.jar:com/ibm/ws/config/internal/xml/validator/EmbeddedXMLConfigValidator.class */
public class EmbeddedXMLConfigValidator implements XMLConfigValidator {
    private static final String CLASS_NAME = EmbeddedXMLConfigValidator.class.getName();
    private static final TraceComponent tc = Tr.register((Class<?>) EmbeddedXMLConfigValidator.class, "config", ConfigConstants.NLS_PROPS);
    private static final String LIBERTY_CERTIFICATE = "-----BEGIN CERTIFICATE-----\nMIIDqDCCApCgAwIBAgIEUMJaljANBgkqhkiG9w0BAQsFADCBlTELMAkGA1UEBhMCVVMxETAPBgNV\nBAgTCE5ldyBZb3JrMQ8wDQYDVQQHEwZBcm1vbmsxEjAQBgNVBAoTCUlCTSBDb3JwLjEXMBUGA1UE\nCxMOU29mdHdhcmUgR3JvdXAxNTAzBgNVBAMTLFdlYlNwaGVyZSBBcHBsaWNhdGlvbiBTZXJ2ZXIg\nTGliZXJ0eSBQcm9maWxlMB4XDTEyMTIwNzIxMDczNFoXDTMyMTIwMjIxMDczNFowgZUxCzAJBgNV\nBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMGQXJtb25rMRIwEAYDVQQKEwlJQk0g\nQ29ycC4xFzAVBgNVBAsTDlNvZnR3YXJlIEdyb3VwMTUwMwYDVQQDEyxXZWJTcGhlcmUgQXBwbGlj\nYXRpb24gU2VydmVyIExpYmVydHkgUHJvZmlsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\nggEBAJ8l5a67C3jNwuS9g0rYYJ3dDjnykECQGXgQ7sP5i9ixF0Gg6NYesjn6VUBhf8ziC/4R4yrf\nlPID+C1nM9SsUQld5QyAjbboRCXbW6+oIofzQKzWUHQQavXOXkH3i765GlsuME2qHYT+H8SQ0S0Z\n2ZMQGr8PXA8lzTSvExozx+oXRXaqG97cpfNDjVZVswxR9QL5h5GdZ7INtN6OcNiKalz5cF95G4Vv\nL1sjtRkPaupNV7C09hnw+UzdPjmxmIOkw6BbS/J0gkE+NSDjQCt1O4EalCOy1ERKMZIb3QsKyYQv\nebaXCm7u3aEy/yszaCwIIldSjYjM15SUQw20L5vbn/UCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA\neJICZmkkBYgMqcq17+GRTWaDvKkcmBdBaIi6DDuRM31FNI7AzB2uLX2vJzXrrxPW41YturXKAZf2\n5uKbgZOikO8e3djjCUhiLYhIm4aTJxPlrh+MejaNAwAVeZBunNrZL9VI8jtU/a1Vd9bEdQ305yXW\nzt5c5mfJB3Yrn0LmwYKiSfG2pERy0TVnCpNLM6iQ7O2lQLVXXwlxNthWyOavEqlK54LR1GoklhC4\nk1r4d/5Cc2tjsoIi1y9gZj0qZptJCM2o1RtWf/xa+MgIavH+M/FqLzphvGOoxkPOqOfgpLPhM7bp\nLM6xqhiqexE5Xxq0JiNaxDi5iVUoDDxXG8ZslA==\n-----END CERTIFICATE-----\n";
    private final DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
    private final XMLSignatureFactory sigFactory = XMLSignatureFactory.getInstance();
    private boolean errorMsgIssued = false;
    static final long serialVersionUID = 6635156246924050525L;

    /* JADX INFO: Access modifiers changed from: protected */
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public EmbeddedXMLConfigValidator() {
        this.dbFactory.setNamespaceAware(true);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r14v0, types: [java.lang.Throwable] */
    @Override // com.ibm.ws.config.internal.xml.validator.XMLConfigValidator
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public InputStream validateResource(InputStream inputStream, String str) throws ConfigValidationException {
        this.errorMsgIssued = false;
        EmbeddedXMLConfigValidator embeddedXMLConfigValidator = null;
        try {
            byte[] bArr = new byte[4096];
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            while (true) {
                int read = inputStream.read(bArr, 0, bArr.length);
                if (read <= -1) {
                    inputStream.close();
                    byteArrayOutputStream.close();
                    ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
                    ByteArrayInputStream byteArrayInputStream2 = new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
                    Document parse = this.dbFactory.newDocumentBuilder().parse(byteArrayInputStream);
                    embeddedXMLConfigValidator = this;
                    embeddedXMLConfigValidator.verifyDocument(parse, str);
                    return byteArrayInputStream2;
                }
                byteArrayOutputStream.write(bArr, 0, read);
            }
        } catch (Throwable th) {
            FFDCFilter.processException(th, "com.ibm.ws.config.internal.xml.validator.EmbeddedXMLConfigValidator", "148", this, new Object[]{inputStream, str});
            ?? r14 = embeddedXMLConfigValidator;
            if (!this.errorMsgIssued) {
                if (r14 instanceof SAXException) {
                    printErrorMessage("error.configValidator.parseFailed", str, r14.getMessage());
                } else if (r14 instanceof MarshalException) {
                    printErrorMessage("error.configValidator.unmarshalFailed", str, r14.getMessage());
                } else {
                    printErrorMessage("error.configValidator.error", str, r14.getMessage());
                }
            }
            FFDCFilter.processException(r14, CLASS_NAME, "138", this, new Object[]{str});
            throw new ConfigValidationException("Configuration parsing encountered an invalid document", str);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v103, types: [com.ibm.websphere.ras.TraceComponent] */
    /* JADX WARN: Type inference failed for: r30v0, types: [java.lang.Throwable] */
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private void verifyDocument(Document document, String str) throws Exception {
        NodeList elementsByTagNameNS = document.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
        if (elementsByTagNameNS.getLength() == 0) {
            printErrorMessage("error.configValidator.signatureMissing", str);
            throw new IllegalStateException("Unable to find the Signature element in " + str);
        }
        PublicKey publicKey = ((X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(new ByteArrayInputStream(LIBERTY_CERTIFICATE.getBytes()))).getPublicKey();
        DOMValidateContext dOMValidateContext = new DOMValidateContext(new ConfigKeySelector(), elementsByTagNameNS.item(0));
        XMLSignature unmarshalXMLSignature = this.sigFactory.unmarshalXMLSignature(dOMValidateContext);
        boolean validate = unmarshalXMLSignature.validate(dOMValidateContext);
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "verifyDocument():  sigValid = " + validate, new Object[0]);
        }
        if (!validate) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "verifyDocument():  Signature failed core validation", str);
            }
            boolean validate2 = unmarshalXMLSignature.getSignatureValue().validate(dOMValidateContext);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "verifyDocument():  sigValid = " + validate2, new Object[0]);
            }
            if (validate2) {
                printErrorMessage("error.configValidator.protectedSectionModified", str);
                throw new IllegalStateException("Protectioned section of config document modified");
            }
            printErrorMessage("error.configValidator.signatureNotValid", str);
            throw new IllegalStateException("Config document contains invalid signature");
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "verifyDocument():  Signature passed core validation", new Object[0]);
        }
        KeyInfo keyInfo = unmarshalXMLSignature.getKeyInfo();
        if (keyInfo == null) {
            printErrorMessage("error.configValidator.keyInfoMissing", str);
            throw new IllegalStateException("Unable to find KeyInfo");
        }
        X509Data x509Data = null;
        X509Certificate x509Certificate = null;
        Iterator it = keyInfo.getContent().iterator();
        while (it.hasNext() && x509Data == null) {
            XMLStructure xMLStructure = (XMLStructure) it.next();
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "verifyDocument():  xmlStructure = " + xMLStructure, new Object[0]);
            }
            if (xMLStructure instanceof X509Data) {
                x509Data = (X509Data) xMLStructure;
                Iterator it2 = x509Data.getContent().iterator();
                while (it2.hasNext() && x509Certificate == null) {
                    Object next = it2.next();
                    if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                        Tr.debug(tc, "verifyDocument():  obj = " + next, new Object[0]);
                    }
                    if (next instanceof X509Certificate) {
                        x509Certificate = (X509Certificate) next;
                        if (x509Certificate.getPublicKey().equals(publicKey)) {
                            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                                Tr.debug(tc, "Document signed by Liberty organization", str);
                            }
                            Tr.info(tc, "info.configValidator.documentValid", str);
                        } else {
                            boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
                            boolean z = isAnyTracingEnabled;
                            if (isAnyTracingEnabled) {
                                boolean isDebugEnabled = tc.isDebugEnabled();
                                z = isDebugEnabled;
                                if (isDebugEnabled) {
                                    ?? r0 = tc;
                                    Tr.debug(r0, "verifyDocument():  Document was not signed by Liberty organization", str);
                                    z = r0;
                                }
                            }
                            try {
                                x509Certificate.verify(publicKey);
                                z = TraceComponent.isAnyTracingEnabled();
                                if (z && tc.isDebugEnabled()) {
                                    Tr.debug(tc, "verifyDocument():  Liberty organization is the CA for document signer", str);
                                }
                                Tr.info(tc, "info.configValidator.documentValid", str);
                            } catch (Throwable th) {
                                FFDCFilter.processException(th, "com.ibm.ws.config.internal.xml.validator.EmbeddedXMLConfigValidator", "285", this, new Object[]{document, str});
                                ?? r30 = z;
                                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                                    Tr.debug(tc, "verifyDocument():  Liberty organization is not the CA for document signer", str);
                                }
                                printErrorMessage("error.configValidator.signerNotAuthorized", str);
                                FFDCFilter.processException(r30, CLASS_NAME, "282", this, new Object[]{str});
                                throw new IllegalStateException("Signer certificate not issued by Liberty", r30);
                            }
                        }
                    }
                }
            }
        }
        if (x509Data == null) {
            printErrorMessage("error.configValidator.x509DataMissing", str);
            throw new IllegalStateException("Unable to find X509Data");
        }
        if (x509Certificate == null) {
            printErrorMessage("error.configValidator.x509CertificateMissing", str);
            throw new IllegalStateException("Unable to find X509Certificate");
        }
    }

    @Override // com.ibm.ws.config.internal.xml.validator.XMLConfigValidator
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public void validateConfig(Configuration configuration) throws ConfigValidationException {
        String str;
        boolean z = true;
        ConfigElement singleton = configuration.getSingleton(WDTConstants.APPLICATION_MONITOR, null);
        if (singleton != null && (str = (String) singleton.getAttribute("dropinsEnabled")) != null && str.equals("false")) {
            z = false;
        }
        if (z) {
            Tr.fatal(tc, "fatal.configValidator.dropinsEnabled", new Object[0]);
            throw new ConfigValidationException("Drop-ins enabled in embedded environment");
        }
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private void printErrorMessage(String str, Object... objArr) {
        Tr.error(tc, str, objArr);
        this.errorMsgIssued = true;
    }
}
