package com.worklight.integration.utils;

import com.worklight.common.log.WorklightLogger;
import com.worklight.common.log.WorklightServerLogger;
import com.worklight.core.auth.WLKeyStoreManager;
import com.worklight.core.util.RssBrokerUtils;
import java.io.ByteArrayInputStream;
import java.io.FileInputStream;
import java.io.StringReader;
import java.io.StringWriter;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.dsig.DigestMethod;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.XMLSignatureException;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.crypto.dsig.spec.DigestMethodParameterSpec;
import javax.xml.crypto.dsig.spec.SignatureMethodParameterSpec;
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
import javax.xml.namespace.QName;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.soap.MessageFactory;
import javax.xml.soap.MimeHeaders;
import javax.xml.soap.SOAPElement;
import javax.xml.soap.SOAPEnvelope;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPHeader;
import javax.xml.soap.SOAPHeaderElement;
import javax.xml.soap.SOAPPart;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.apache.commons.codec.binary.Base64;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.xml.sax.InputSource;

/* loaded from: input_file:com/worklight/integration/utils/WSSecurityService.class */
public class WSSecurityService {
    public static final String BEAN_ID = "WSSecurityService";
    private static final String X509V3_TOKEN_PROFILE = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
    private static final String BASE64_ENCODING_TYPE = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
    private String keystorePath;
    private String keystoreType;
    private char[] keystorePassword;
    private KeyStore keystore;
    private boolean keyStoreLoaded;
    private XMLSignatureFactory signatureFactory = XMLSignatureFactory.getInstance("DOM");
    private MessageFactory messageFactory;
    private TransformerFactory transformerFactory;
    private DocumentBuilderFactory documentBuilderFactory;
    private static final String WSSE_URI = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
    private static final String WSSE_ALIAS = "wsse";
    private static final QName WSSE_SECURITY = new QName(WSSE_URI, "Security", WSSE_ALIAS);
    private static final QName WSSE_BINARY_SECURITY_TOKEN = new QName(WSSE_URI, "BinarySecurityToken", WSSE_ALIAS);
    private static final QName WSSE_ENCODING_TYPE = new QName("EncodingType");
    private static final QName WSSE_VALUE_TYPE = new QName("ValueType");
    private static final QName WSSE_SECURITY_TOKEN_REFERENCE = new QName(WSSE_URI, "SecurityTokenReference", WSSE_ALIAS);
    private static final QName WSSE_REFERENCE = new QName(WSSE_URI, "Reference", WSSE_ALIAS);
    private static final String WSSU_URI = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
    private static final String WSSU_ALIAS = "wssu";
    private static final QName WSSU_ID = new QName(WSSU_URI, "Id", WSSU_ALIAS);
    private static final String DSIG_ALIAS = "ds";
    private static final QName DSIG_KEY_INFO = new QName("http://www.w3.org/2000/09/xmldsig#", "KeyInfo", DSIG_ALIAS);
    private static final QName DSIG_SIGNATURE = new QName("http://www.w3.org/2000/09/xmldsig#", "Signature", DSIG_ALIAS);
    private static final QName DSIG_SIGNED_INFO = new QName("http://www.w3.org/2000/09/xmldsig#", "SignedInfo", DSIG_ALIAS);
    private static final QName DSIG_REFERENCE = new QName("http://www.w3.org/2000/09/xmldsig#", "Reference", DSIG_ALIAS);
    private static final WorklightServerLogger logger = new WorklightServerLogger(WSSecurityService.class, WorklightLogger.MessagesBundles.CORE);

    public static WSSecurityService getInstance() {
        return (WSSecurityService) RssBrokerUtils.getBeanFactory().getBean(BEAN_ID);
    }

    public WSSecurityService() {
        try {
            this.messageFactory = MessageFactory.newInstance();
            this.transformerFactory = TransformerFactory.newInstance();
            this.documentBuilderFactory = DocumentBuilderFactory.newInstance();
            this.documentBuilderFactory.setNamespaceAware(true);
        } catch (SOAPException e) {
            throw new RuntimeException("WS-Security initialization failed.", e);
        }
    }

    public synchronized void setKeystorePath(String str) {
        this.keyStoreLoaded = false;
        this.keystorePath = str;
    }

    public synchronized void setKeystoreType(String str) {
        this.keyStoreLoaded = false;
        this.keystoreType = str;
    }

    public synchronized void setKeystorePassword(String str) {
        this.keyStoreLoaded = false;
        this.keystorePassword = str.toCharArray();
    }

    @Deprecated
    private synchronized KeyStore getKeyStore() {
        if (!this.keyStoreLoaded) {
            this.keyStoreLoaded = true;
            String str = (this.keystorePath == null || this.keystorePath.isEmpty()) ? "Path to key store file not defined." : (this.keystoreType == null || this.keystoreType.isEmpty()) ? "Key store type not defined." : this.keystorePassword == null ? "Key store password not defined." : null;
            if (str == null) {
                try {
                    this.keystore = KeyStore.getInstance(this.keystoreType);
                } catch (KeyStoreException e) {
                    str = e.getMessage();
                    logger.error(e, "getKeyStore", "logger.illeagalKeyStoreType", new Object[]{this.keystoreType});
                }
            }
            if (str == null) {
                try {
                    this.keystore.load(new FileInputStream(this.keystorePath), this.keystorePassword);
                } catch (Exception e2) {
                    str = logger.getFormatter().format("logger.loadKeyStoreFailed", new Object[]{this.keystorePath});
                    logger.error(e2, "getKeyStore", "logger.loadKeyStoreFailed", new Object[]{this.keystorePath});
                }
            }
            if (str != null) {
                this.keystore = null;
                logger.warnNoExternalization("getKeyStore", str);
            }
        }
        if (this.keystore == null) {
            throw new RuntimeException("Key store not loaded.");
        }
        return this.keystore;
    }

    public String signSoapMessage(String str, String str2, String str3) {
        this.keystore = ((WLKeyStoreManager) RssBrokerUtils.getBeanFactory().getBean(WLKeyStoreManager.BEAN_ID)).getKeyStore(WLKeyStoreManager.WLKeystoreType.SOAP_KEYSTORE);
        try {
            SOAPPart sOAPPart = this.messageFactory.createMessage(new MimeHeaders(), new ByteArrayInputStream(str.getBytes("UTF-8"))).getSOAPPart();
            SOAPEnvelope envelope = sOAPPart.getEnvelope();
            SOAPHeader header = envelope.getHeader();
            if (header == null) {
                header = envelope.addHeader();
            }
            Node firstChild = header.getFirstChild();
            SOAPHeaderElement addHeaderElement = header.addHeaderElement(WSSE_SECURITY);
            if (firstChild != null) {
                header.insertBefore(addHeaderElement, firstChild);
            }
            if (sOAPPart.getElementById(str2) == null) {
                throw new RuntimeException("The message doesn't contain the element with wsu:Id=\"" + str2 + "\"");
            }
            try {
                SOAPElement addChildElement = addHeaderElement.addChildElement(WSSE_BINARY_SECURITY_TOKEN);
                addChildElement.addAttribute(WSSE_ENCODING_TYPE, BASE64_ENCODING_TYPE);
                addChildElement.addAttribute(WSSE_VALUE_TYPE, X509V3_TOKEN_PROFILE);
                X509Certificate x509Certificate = (X509Certificate) this.keystore.getCertificate(str3);
                if (x509Certificate == null) {
                    throw new RuntimeException("Alias " + str3 + " not found in the key store.");
                }
                String str4 = "CertId-" + x509Certificate.getSerialNumber().toString(16).toUpperCase();
                addChildElement.addAttribute(WSSU_ID, str4);
                addChildElement.addTextNode(Base64.encodeBase64String(x509Certificate.getEncoded()));
                try {
                    DigestMethod newDigestMethod = this.signatureFactory.newDigestMethod("http://www.w3.org/2000/09/xmldsig#sha1", (DigestMethodParameterSpec) null);
                    List singletonList = Collections.singletonList(this.signatureFactory.newTransform("http://www.w3.org/2001/10/xml-exc-c14n#", (TransformParameterSpec) null));
                    ArrayList arrayList = new ArrayList();
                    arrayList.add(this.signatureFactory.newReference("#" + str2, newDigestMethod, singletonList, (String) null, (String) null));
                    SignedInfo newSignedInfo = this.signatureFactory.newSignedInfo(this.signatureFactory.newCanonicalizationMethod("http://www.w3.org/2001/10/xml-exc-c14n#", (C14NMethodParameterSpec) null), this.signatureFactory.newSignatureMethod("http://www.w3.org/2000/09/xmldsig#rsa-sha1", (SignatureMethodParameterSpec) null), arrayList);
                    Key key = this.keystore.getKey(str3, this.keystorePassword);
                    if (key == null) {
                        throw new RuntimeException("Alias " + str3 + " not found in the key store.");
                    }
                    DOMSignContext dOMSignContext = new DOMSignContext(key, addHeaderElement);
                    dOMSignContext.putNamespacePrefix("http://www.w3.org/2000/09/xmldsig#", DSIG_ALIAS);
                    this.signatureFactory.newXMLSignature(newSignedInfo, (KeyInfo) null).sign(dOMSignContext);
                    try {
                        SOAPElement addChildElement2 = addHeaderElement.getLastChild().addChildElement(DSIG_KEY_INFO).addChildElement(WSSE_SECURITY_TOKEN_REFERENCE).addChildElement(WSSE_REFERENCE);
                        addChildElement2.setAttribute("URI", "#" + str4);
                        addChildElement2.setAttribute("ValueType", X509V3_TOKEN_PROFILE);
                        try {
                            return toXMLString(sOAPPart);
                        } catch (Exception e) {
                            throw new RuntimeException("Failed to format security element", e);
                        }
                    } catch (SOAPException e2) {
                        throw new RuntimeException("Failed to create key info element", e2);
                    }
                } catch (RuntimeException e3) {
                    throw e3;
                } catch (Exception e4) {
                    throw new RuntimeException("Failed to create digital signature.", e4);
                }
            } catch (RuntimeException e5) {
                throw e5;
            } catch (Exception e6) {
                throw new RuntimeException("Failed to build binary token for the certificate.", e6);
            }
        } catch (Exception e7) {
            throw new RuntimeException("Failed to parse input message.", e7);
        }
    }

    public void validateSignature(String str) {
        try {
            Document parse = this.documentBuilderFactory.newDocumentBuilder().parse(new InputSource(new StringReader(str)));
            Element findElement = findElement(parse.getDocumentElement(), DSIG_SIGNATURE);
            if (findElement == null) {
                throw new RuntimeException("Cannot find Signature element");
            }
            Element findElement2 = findElement(findElement, DSIG_SIGNED_INFO);
            Element findElement3 = findElement2 == null ? null : findElement(findElement2, DSIG_REFERENCE);
            if (findElement3 == null) {
                throw new RuntimeException("Signed reference element not found");
            }
            String referenceId = getReferenceId(findElement3);
            Element findElementByAttribute = findElementByAttribute(parse.getDocumentElement(), WSSU_ID, referenceId);
            if (findElementByAttribute == null) {
                throw new RuntimeException("Signed element with wssu:Id='" + referenceId + "' not found.");
            }
            Element findElement4 = findElement(findElement, new QName("http://www.w3.org/2000/09/xmldsig#", "KeyInfo"));
            Element findElement5 = findElement4 == null ? null : findElement(findElement4, WSSE_SECURITY_TOKEN_REFERENCE);
            Element findElement6 = findElement5 == null ? null : findElement(findElement5, WSSE_REFERENCE);
            if (findElement6 == null) {
                throw new RuntimeException("Security token reference not found");
            }
            String attribute = findElement6.getAttribute("ValueType");
            if (!X509V3_TOKEN_PROFILE.equals(attribute)) {
                throw new RuntimeException("Unsupported reference value type: " + attribute);
            }
            String referenceId2 = getReferenceId(findElement6);
            Element findElementByAttribute2 = findElementByAttribute(parse.getDocumentElement(), WSSU_ID, referenceId2);
            if (findElementByAttribute2 == null) {
                throw new RuntimeException("Security token with Id='" + referenceId2 + "' not found");
            }
            DOMValidateContext dOMValidateContext = new DOMValidateContext(getCertificateFromBinaryToken(findElementByAttribute2).getPublicKey(), findElement);
            dOMValidateContext.setIdAttributeNS(findElementByAttribute, WSSU_ID.getNamespaceURI(), WSSU_ID.getLocalPart());
            try {
                try {
                    if (this.signatureFactory.unmarshalXMLSignature(dOMValidateContext).validate(dOMValidateContext)) {
                    } else {
                        throw new RuntimeException("Digital signature is invalid");
                    }
                } catch (XMLSignatureException e) {
                    throw new RuntimeException("Failed to validate digital signature", e);
                }
            } catch (MarshalException e2) {
                throw new RuntimeException("Failed to unmarshal digital signature", e2);
            }
        } catch (Exception e3) {
            throw new RuntimeException("Failed to parse the message", e3);
        }
    }

    private String getReferenceId(Element element) {
        String attribute = element.getAttribute("URI");
        if (attribute == null || attribute.isEmpty()) {
            throw new RuntimeException("Element " + element.getNodeName() + " has no 'URI' attribute.");
        }
        if (attribute.startsWith("#")) {
            return attribute.substring(1);
        }
        throw new RuntimeException("Element " + element.getNodeName() + " URI attribute value should start with '#', the actual value is:" + attribute);
    }

    private X509Certificate getCertificateFromBinaryToken(Element element) {
        String attribute = element.getAttribute(WSSE_ENCODING_TYPE.getLocalPart());
        if (!BASE64_ENCODING_TYPE.equals(attribute)) {
            throw new RuntimeException("Unsupported encoding type: " + attribute);
        }
        String attribute2 = element.getAttribute(WSSE_VALUE_TYPE.getLocalPart());
        if (!X509V3_TOKEN_PROFILE.equals(attribute2)) {
            throw new RuntimeException("Unsupported value type: " + attribute2);
        }
        try {
            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(Base64.decodeBase64(element.getTextContent().trim())));
        } catch (Exception e) {
            throw new RuntimeException("Failed to read the certificate from the binary token", e);
        }
    }

    private Element findElementByAttribute(Element element, QName qName, String str) {
        if (str.equals(element.getAttributeNS(qName.getNamespaceURI(), qName.getLocalPart()))) {
            return element;
        }
        Element element2 = null;
        NodeList childNodes = element.getChildNodes();
        for (int i = 0; i < childNodes.getLength(); i++) {
            Node item = childNodes.item(i);
            if (item instanceof Element) {
                element2 = findElementByAttribute((Element) item, qName, str);
                if (element2 != null) {
                    break;
                }
            }
        }
        return element2;
    }

    private Element findElement(Element element, QName qName) {
        NodeList elementsByTagNameNS = element.getElementsByTagNameNS(qName.getNamespaceURI(), qName.getLocalPart());
        for (int i = 0; i < elementsByTagNameNS.getLength(); i++) {
            Node item = elementsByTagNameNS.item(i);
            if (item instanceof Element) {
                return (Element) item;
            }
        }
        return null;
    }

    private String toXMLString(javax.xml.soap.Node node) throws TransformerException {
        Transformer newTransformer = this.transformerFactory.newTransformer();
        newTransformer.setOutputProperty("omit-xml-declaration", "yes");
        DOMSource dOMSource = new DOMSource(node);
        StringWriter stringWriter = new StringWriter();
        newTransformer.transform(dOMSource, new StreamResult(stringWriter));
        return stringWriter.toString();
    }
}
