package org.apache.tsik.xmlsig;

import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Arrays;
import org.apache.tsik.common.Logger;
import org.apache.tsik.common.LoggerFactory;
import org.apache.tsik.domutil.DOMCursor;
import org.apache.tsik.domutil.elements.ElementException;
import org.apache.tsik.xmlsig.elements.KeyValue;
import org.apache.tsik.xmlsig.elements.Signature;
import org.apache.tsik.xmlsig.elements.SignedInfo;
import org.apache.tsik.xpath.XPath;
import org.apache.tsik.xpath.XPathException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:org/apache/tsik/xmlsig/Verifier.class */
public class Verifier {
    private static Logger log;
    private DOMCursor cursor;
    private Signature signature;
    private byte[] canon;
    private long canonTime;
    private long cursorTime;
    private long moveTime;
    private long fromXmlTime;
    private VerifyingKey verifyingKey = null;
    static Class class$org$apache$tsik$xmlsig$Verifier;

    public Verifier(Document document, XPath xPath) throws XPathException, NoSuchAlgorithmException {
        this.canonTime = 0L;
        this.cursorTime = 0L;
        this.moveTime = 0L;
        this.fromXmlTime = 0L;
        boolean isDebugEnabled = log.isDebugEnabled();
        if (document == null) {
            throw new IllegalArgumentException("document cannot be null");
        }
        if (xPath == null) {
            throw new IllegalArgumentException("signature location cannot be null");
        }
        long currentTimeMillis = isDebugEnabled ? System.currentTimeMillis() : 0L;
        this.cursor = new DOMCursor(document);
        if (isDebugEnabled) {
            this.cursorTime = System.currentTimeMillis() - currentTimeMillis;
            currentTimeMillis = System.currentTimeMillis();
        }
        this.cursor = moveCursor(this.cursor, xPath);
        if (isDebugEnabled) {
            this.moveTime = System.currentTimeMillis() - currentTimeMillis;
        }
        if (isDebugEnabled) {
            try {
                currentTimeMillis = System.currentTimeMillis();
            } catch (ElementException e) {
                throw new IllegalArgumentException(e.toString());
            }
        }
        this.signature = Signature.fromXml(this.cursor);
        if (isDebugEnabled) {
            this.fromXmlTime = System.currentTimeMillis() - currentTimeMillis;
        }
        SignedInfo signedInfo = this.signature.getSignedInfo();
        currentTimeMillis = isDebugEnabled ? System.currentTimeMillis() : currentTimeMillis;
        this.canon = signedInfo.canonicalizeExisting(this.cursor);
        if (isDebugEnabled) {
            this.canonTime = System.currentTimeMillis() - currentTimeMillis;
        }
    }

    private DOMCursor moveCursor(DOMCursor dOMCursor, XPath xPath) throws XPathException {
        if (dOMCursor.moveToXPath(xPath) && Signature.name.equals(dOMCursor.getLocalName())) {
            return dOMCursor;
        }
        throw new XPathException(new StringBuffer().append("XPath expression '").append(xPath.getXPath()).append("'").append(" does not evaluate to ").append(Signature.uri).append(":").append(Signature.name).toString());
    }

    public boolean verify() throws InvalidKeyException, XPathException, NoSuchAlgorithmException, SignatureException {
        PublicKey verifyingKey = getVerifyingKey();
        if (verifyingKey == null) {
            throw new InvalidKeyException("No verification key set");
        }
        return verify(verifyingKey);
    }

    public boolean verify(PublicKey publicKey) throws InvalidKeyException, XPathException, NoSuchAlgorithmException, SignatureException {
        if (publicKey == null) {
            throw new InvalidKeyException("No verification key set");
        }
        this.verifyingKey = createVerifyingKey(publicKey);
        this.signature.setVerifyingKey(this.verifyingKey);
        return internalVerify();
    }

    public boolean verify(VerifyingKey verifyingKey) throws InvalidKeyException, XPathException, NoSuchAlgorithmException, SignatureException {
        if (verifyingKey == null) {
            throw new InvalidKeyException("No verification key set");
        }
        this.verifyingKey = verifyingKey;
        this.signature.setVerifyingKey(this.verifyingKey);
        return internalVerify();
    }

    private boolean internalVerify() throws InvalidKeyException, XPathException, NoSuchAlgorithmException, SignatureException {
        boolean isDebugEnabled = log.isDebugEnabled();
        DOMCursor cloneCursor = this.cursor.cloneCursor();
        if (cloneCursor.moveToXPath(new XPath("./ds:KeyInfo", new String[]{"ds", "http://www.w3.org/2000/09/xmldsig#"}))) {
            this.verifyingKey.readKeyInfo(cloneCursor.getElement());
        }
        if (!this.signature.getSignedInfo().verifyReferences()) {
            return false;
        }
        if (log.isDebugEnabled()) {
            log.debug(new StringBuffer().append("canonical form = ").append(new String(this.canon)).toString());
        }
        long j = 0;
        if (isDebugEnabled) {
            j = System.currentTimeMillis();
        }
        boolean verifySignature = this.signature.verifySignature(this.canon);
        if (isDebugEnabled) {
            log.debug(new StringBuffer().append("Time to verify: ").append((System.currentTimeMillis() - j) + this.canonTime + this.cursorTime + this.moveTime + this.fromXmlTime).append(" ms, of which c14n: ").append(this.canonTime).append(" curs:").append(this.cursorTime).append(" move: ").append(this.moveTime).append(" fromXml: ").append(this.fromXmlTime).toString());
        }
        return verifySignature;
    }

    public boolean isReferenced(XPath xPath) {
        return this.signature.getSignedInfo().isReferenced(xPath);
    }

    public Element[] getReferencedElements() {
        return this.signature.getSignedInfo().getReferencedElements();
    }

    private VerifyingKey createVerifyingKey(PublicKey publicKey) throws InvalidKeyException {
        VerifyingKey dSAVerifyingKey;
        if (publicKey instanceof RSAPublicKey) {
            dSAVerifyingKey = new RSAVerifyingKey(publicKey);
        } else {
            if (!(publicKey instanceof DSAPublicKey)) {
                throw new IllegalArgumentException("unknown signing key type");
            }
            dSAVerifyingKey = new DSAVerifyingKey(publicKey);
        }
        return dSAVerifyingKey;
    }

    public PublicKey getVerifyingKey() throws XPathException, InvalidKeyException, NoSuchAlgorithmException {
        PublicKey internalGetVerifyingKey = internalGetVerifyingKey();
        X509Certificate internalGetCertificate = internalGetCertificate();
        if (internalGetCertificate != null && compare(internalGetCertificate, internalGetVerifyingKey) == null) {
            return null;
        }
        return internalGetVerifyingKey;
    }

    private PublicKey internalGetVerifyingKey() throws XPathException, InvalidKeyException, NoSuchAlgorithmException {
        KeyValue keyValue = this.signature.getKeyInfo().getKeyValue();
        if (keyValue == null) {
            throw new InvalidKeyException("No verifying key available");
        }
        VerifyingKey generateVerifyingKey = keyValue.generateVerifyingKey();
        if (generateVerifyingKey instanceof RSAVerifyingKey) {
            return ((RSAVerifyingKey) generateVerifyingKey).getPublicKey();
        }
        if (generateVerifyingKey instanceof DSAVerifyingKey) {
            return ((DSAVerifyingKey) generateVerifyingKey).getPublicKey();
        }
        return null;
    }

    public X509Certificate getCertificate() throws XPathException {
        PublicKey publicKey = null;
        try {
            publicKey = internalGetVerifyingKey();
        } catch (Exception e) {
        }
        return compare(internalGetCertificate(), publicKey);
    }

    private X509Certificate compare(X509Certificate x509Certificate, PublicKey publicKey) {
        if (x509Certificate == null || publicKey == null) {
            return x509Certificate;
        }
        if (Arrays.equals(publicKey.getEncoded(), x509Certificate.getPublicKey().getEncoded())) {
            return x509Certificate;
        }
        log.warn("Certificate's key differs from key in KeyInfo");
        return null;
    }

    private X509Certificate internalGetCertificate() throws XPathException {
        return this.signature.getKeyInfo().getCertificate();
    }

    public X509Certificate[] getCertificateChain() throws XPathException {
        X509Certificate[] certificateChain = this.signature.getKeyInfo().getCertificateChain();
        if (certificateChain == null) {
            return null;
        }
        PublicKey publicKey = null;
        try {
            publicKey = internalGetVerifyingKey();
        } catch (Exception e) {
        }
        if (compare(certificateChain[0], publicKey) != null) {
            return certificateChain;
        }
        log.warn("Leaf certificate's key differs from key in KeyInfo");
        return null;
    }

    public KeyInfo getKeyInfo() {
        org.apache.tsik.xmlsig.elements.KeyInfo keyInfo = this.signature.getKeyInfo();
        if (keyInfo != null) {
            return keyInfo.getKeyInfo();
        }
        return null;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError(e.getMessage());
        }
    }

    static {
        Class cls;
        if (class$org$apache$tsik$xmlsig$Verifier == null) {
            cls = class$("org.apache.tsik.xmlsig.Verifier");
            class$org$apache$tsik$xmlsig$Verifier = cls;
        } else {
            cls = class$org$apache$tsik$xmlsig$Verifier;
        }
        log = LoggerFactory.getLogger(cls);
    }
}
