package eu.unicore.security.wsutil;

import eu.unicore.security.SecurityTokens;
import eu.unicore.security.SignatureStatus;
import eu.unicore.security.dsig.DSigException;
import eu.unicore.security.dsig.DigSignatureUtil;
import eu.unicore.security.dsig.IdAttribute;
import eu.unicore.security.wsutil.client.ToBeSignedDecider;
import eu.unicore.util.Log;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.Vector;
import javax.xml.namespace.QName;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.interceptor.AbstractSoapInterceptor;
import org.apache.cxf.headers.Header;
import org.apache.log4j.Logger;
import org.apache.wss4j.common.WSEncryptionPart;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* loaded from: input_file:eu/unicore/security/wsutil/DSigSecurityInHandler.class */
public class DSigSecurityInHandler extends AbstractSoapInterceptor {
    private static final String WSS_NS_STRING = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
    private static final String XML_DS_STRING = "http://www.w3.org/2000/09/xmldsig#";
    private ToBeSignedDecider partsDecider;
    private static Logger logger = Log.getLogger("unicore.security.dsig", DSigSecurityInHandler.class);
    public static final QName WS_SECURITY = new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", WSSecHeader.WSSE_LN);
    private static final String WSSUTIL_NS_STRING = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
    public static final IdAttribute WS_ID_ATTRIBUTE = new IdAttribute(WSSUTIL_NS_STRING, "Id");
    private static final Set<QName> qnameSet = new HashSet();

    public DSigSecurityInHandler(ToBeSignedDecider toBeSignedDecider) {
        super("pre-invoke");
        getAfter().add(DSigParseInHandler.class.getName());
        getAfter().add(AuthInHandler.class.getName());
        this.partsDecider = toBeSignedDecider;
    }

    public Set<QName> getUnderstoodHeaders() {
        return qnameSet;
    }

    public void handleMessage(SoapMessage soapMessage) {
        SecurityTokens securityTokens = (SecurityTokens) soapMessage.get(SecurityTokens.KEY);
        if (securityTokens == null) {
            logger.error("No security context found. You should add " + AuthInHandler.class.getName() + " handler.");
            return;
        }
        securityTokens.setMessageSignatureStatus(SignatureStatus.UNCHECKED);
        Document document = (Document) soapMessage.get(DSigParseInHandler.DOCUMENT_DOM_KEY);
        if (document == null) {
            logger.debug("No DOM representation of message found, signature won't be checked");
            return;
        }
        Header header = soapMessage.getHeader(WS_SECURITY);
        if (header == null) {
            logger.debug("No security header element found, skipping signature verification.");
            securityTokens.setMessageSignatureStatus(SignatureStatus.UNSIGNED);
            return;
        }
        Element element = (Element) header.getObject();
        if (getChildElements(element, XML_DS_STRING, "Signature").size() == 0) {
            logger.debug("No Signature was found in header, skipping signature verification.");
            securityTokens.setMessageSignatureStatus(SignatureStatus.UNSIGNED);
            return;
        }
        try {
            verify(securityTokens, document, element);
        } catch (Exception e) {
            logger.warn("Error while checking signature of request: " + e + "\n" + e.getCause());
            securityTokens.setMessageSignatureStatus(SignatureStatus.WRONG);
        }
    }

    protected void verify(SecurityTokens securityTokens, Document document, Element element) throws Exception {
        long currentTimeMillis = System.currentTimeMillis();
        X509Certificate[] consignor = securityTokens.getConsignor();
        if (consignor == null || consignor.length == 0) {
            logger.debug("No consignor found in security context so skipping signature verification.");
            return;
        }
        PublicKey publicKey = consignor[0].getPublicKey();
        long currentTimeMillis2 = System.currentTimeMillis();
        try {
            logger.trace("Starting signature verification");
            if (verifySignature(document, publicKey)) {
                logger.debug("Signature present and CORRECT");
                securityTokens.setMessageSignatureStatus(SignatureStatus.OK);
            } else {
                logger.warn("Signature present but INCORRECT!!");
                securityTokens.setMessageSignatureStatus(SignatureStatus.WRONG);
            }
            long currentTimeMillis3 = System.currentTimeMillis();
            logger.debug("Total time: " + (currentTimeMillis3 - currentTimeMillis) + " where actual verification was: " + (currentTimeMillis3 - currentTimeMillis2));
        } catch (Exception e) {
            logger.warn("Error while checking signature of request: " + e + "\n" + e.getCause());
            securityTokens.setMessageSignatureStatus(SignatureStatus.WRONG);
        }
    }

    private boolean verifySignature(Document document, PublicKey publicKey) throws DSigException {
        NodeList elementsByTagNameNS = document.getElementsByTagNameNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", WSSecHeader.WSSE_LN);
        if (elementsByTagNameNS.getLength() == 0) {
            throw new DSigException("Document not signed");
        }
        if (elementsByTagNameNS.getLength() > 1) {
            throw new DSigException("Document contains more then one wss:Security element. This is not supported and may indicate an attack on XML digital signature.");
        }
        List<Element> childElements = getChildElements((Element) elementsByTagNameNS.item(0), XML_DS_STRING, "Signature");
        if (childElements.size() == 0) {
            throw new DSigException("Document not signed");
        }
        if (childElements.size() > 1) {
            throw new DSigException("Document's wss:Security element contains more then one dsig:Signature element. This is not supported and may indicate an attack on XML digital signature.");
        }
        return new DigSignatureUtil().verifyDetachedSignature(document, getRequiredElements(document), WS_ID_ATTRIBUTE, publicKey, childElements.get(0));
    }

    private List<Element> getChildElements(Element element, String str, String str2) {
        ArrayList arrayList = new ArrayList();
        NodeList childNodes = element.getChildNodes();
        for (int i = 0; i < childNodes.getLength(); i++) {
            Node item = childNodes.item(i);
            if (item instanceof Element) {
                Element element2 = (Element) item;
                if (str2.equals(element2.getLocalName()) && str.equals(element2.getNamespaceURI())) {
                    arrayList.add(element2);
                }
            }
        }
        return arrayList;
    }

    private List<Element> getRequiredElements(Document document) {
        Vector<WSEncryptionPart> vector;
        if (this.partsDecider != null) {
            vector = this.partsDecider.getElementsToBeSigned(document);
        } else {
            vector = new Vector<>();
            vector.add(new WSEncryptionPart("Body", WSSecHeader.SOAP11_URI, ""));
        }
        ArrayList arrayList = new ArrayList();
        Iterator<WSEncryptionPart> it = vector.iterator();
        while (it.hasNext()) {
            WSEncryptionPart next = it.next();
            logger.trace("Required part: " + next.getName());
            NodeList elementsByTagNameNS = document.getElementsByTagNameNS(next.getNamespace(), next.getName());
            if (elementsByTagNameNS.getLength() != 0) {
                for (int i = 0; i < elementsByTagNameNS.getLength(); i++) {
                    arrayList.add((Element) elementsByTagNameNS.item(i));
                }
            }
        }
        return arrayList;
    }

    static {
        qnameSet.add(WS_SECURITY);
    }
}
