package eu.fisver.intern.sig;

import com.sunmi.pay.hardware.aidl.AidlConstants;
import eu.fisver.exceptions.CertificateValidationException;
import eu.fisver.exceptions.CredentialsException;
import eu.fisver.exceptions.ObjectConversionException;
import eu.fisver.exceptions.SignatureException;
import eu.fisver.intern.XmlUtil;
import eu.fisver.intern.sec.Init;
import eu.fisver.intern.sec.c14n.Canonicalizer;
import eu.fisver.intern.sec.transforms.params.InclusiveNamespaces;
import eu.fisver.intern.sec.utils.Constants;
import eu.fisver.intern.sec.utils.XMLUtils;
import eu.fisver.utils.CertificateValidator;
import eu.fisver.utils.SignatureCredentials;
import eu.fisver.utils.Util;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import org.w3c.dom.Document;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* loaded from: classes2.dex */
public class XmlSigner {
    private X509Certificate certificate;
    private Node contentNode;
    private Document document;
    private Node referenceNode;
    private Node signatureNode;
    private Node signedInfoNode;

    static {
        Init.init();
    }

    public XmlSigner(String str) throws ObjectConversionException {
        Document buildDocument = XmlDomUtils.buildDocument(str);
        this.document = buildDocument;
        this.signatureNode = XmlDomUtils.findElementByTagName(buildDocument, Constants._TAG_SIGNATURE);
        init();
    }

    public XmlSigner(String str, String str2) throws ObjectConversionException {
        this.document = XmlDomUtils.buildDocument(str);
        NodeList elementsByTagName = XmlDomUtils.buildDocument(str2).getElementsByTagName(Constants._TAG_SIGNATURE);
        if (elementsByTagName.getLength() > 0) {
            this.signatureNode = this.document.importNode(elementsByTagName.item(0), true);
        }
        init();
        this.contentNode.appendChild(this.signatureNode);
    }

    private byte[] calculateContentDigest() throws SignatureException {
        List<C14NAlgorithm> readTransforms = readTransforms(XmlDomUtils.findElementByTagName(this.referenceNode, "Transforms"));
        Iterator<C14NAlgorithm> it = readTransforms.iterator();
        Boolean bool = null;
        while (it.hasNext()) {
            if (it.next().getName().equals("http://www.w3.org/2000/09/xmldsig#enveloped-signature")) {
                bool = true;
                it.remove();
            }
        }
        if (bool == null) {
            bool = Boolean.valueOf(XmlDomUtils.isInside(this.contentNode, this.signatureNode));
        }
        Node parentNode = this.signatureNode.getParentNode();
        if (bool.booleanValue()) {
            parentNode.removeChild(this.signatureNode);
        }
        byte[] canonicalize = canonicalize(this.contentNode, readTransforms);
        if (bool.booleanValue()) {
            parentNode.appendChild(this.signatureNode);
        }
        Node findElementByTagName = XmlDomUtils.findElementByTagName(this.referenceNode, Constants._TAG_DIGESTMETHOD);
        if (findElementByTagName == null) {
            throw new SignatureException("No DigestMethod node");
        }
        String attribute = XmlDomUtils.getAttribute(findElementByTagName, "Algorithm");
        if (attribute.contains("#sha1")) {
            return Util.sha1Digest(canonicalize);
        }
        if (attribute.contains("#sha256")) {
            return Util.sha256Digest(canonicalize);
        }
        throw new SignatureException("Unsupported digest algorithm: " + attribute);
    }

    private byte[] calculateSignature(byte[] bArr, PrivateKey privateKey) throws SignatureException, CredentialsException {
        return calculateSignatureOrVerify(bArr, null, privateKey, null);
    }

    private byte[] calculateSignatureOrVerify(byte[] bArr, byte[] bArr2, PrivateKey privateKey, X509Certificate x509Certificate) throws SignatureException, CredentialsException {
        String str;
        boolean z = privateKey == null;
        Node findElementByTagName = XmlDomUtils.findElementByTagName(this.signedInfoNode, Constants._TAG_SIGNATUREMETHOD);
        if (findElementByTagName == null) {
            throw new SignatureException("No SignatureMethod node");
        }
        String attribute = XmlDomUtils.getAttribute(findElementByTagName, "Algorithm");
        if (attribute.contains("#rsa-sha256")) {
            str = AidlConstants.Security.RSA_SIGN_ALG_4;
        } else {
            if (!attribute.contains("#rsa-sha1")) {
                throw new SignatureException("Unsupported signature algorithm: " + attribute);
            }
            str = AidlConstants.Security.RSA_SIGN_ALG_3;
        }
        try {
            Signature signature = Signature.getInstance(str);
            if (z) {
                signature.initVerify(x509Certificate);
                signature.update(bArr);
                if (signature.verify(bArr2)) {
                    return bArr2;
                }
                throw new SignatureException("Invalid signature");
            }
            try {
                signature.initSign(privateKey);
                signature.update(bArr);
                return signature.sign();
            } catch (Exception e) {
                throw new CredentialsException(e);
            }
        } catch (SignatureException e2) {
            throw e2;
        } catch (Exception e3) {
            throw new SignatureException(e3);
        }
    }

    private static byte[] canonicalize(Node node, List<C14NAlgorithm> list) throws SignatureException {
        byte[] bArr;
        if (list.size() > 1) {
            throw new SignatureException("Currently max 1 canonicalizer allowed");
        }
        try {
            if (list.size() == 1) {
                C14NAlgorithm c14NAlgorithm = list.get(0);
                Canonicalizer canonicalizer = Canonicalizer.getInstance(c14NAlgorithm.getName());
                bArr = c14NAlgorithm.getIncludeNamespaces() != null ? canonicalizer.canonicalizeSubtree(node, c14NAlgorithm.getIncludeNamespaces()) : canonicalizer.canonicalizeSubtree(node);
            } else {
                bArr = null;
            }
            if (bArr != null) {
                return bArr;
            }
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            XMLUtils.outputDOM(node, byteArrayOutputStream, false);
            return byteArrayOutputStream.toByteArray();
        } catch (Exception e) {
            throw new SignatureException(e);
        }
    }

    private X509Certificate findCertificate() throws SignatureException {
        byte[] findOrWriteCertificate = findOrWriteCertificate(null);
        if (findOrWriteCertificate == null) {
            throw new SignatureException("No certificate in message");
        }
        try {
            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(findOrWriteCertificate));
        } catch (Exception e) {
            throw new SignatureException(e);
        }
    }

    private byte[] findOrWriteCertificate(X509Certificate x509Certificate) throws SignatureException {
        boolean z = x509Certificate == null;
        try {
            Node findElementByTagName = XmlDomUtils.findElementByTagName(this.document, "BinarySecurityToken");
            if (findElementByTagName != null) {
                if (z) {
                    return Util.base64decode(findElementByTagName.getTextContent());
                }
                findElementByTagName.setTextContent(Util.base64encode(x509Certificate.getEncoded(), false));
            }
            Node findElementByTagName2 = XmlDomUtils.findElementByTagName(this.document, Constants._TAG_X509DATA);
            if (findElementByTagName2 != null) {
                Node findElementByTagName3 = XmlDomUtils.findElementByTagName(findElementByTagName2, Constants._TAG_X509CERTIFICATE);
                if (findElementByTagName3 != null) {
                    if (z) {
                        return Util.base64decode(findElementByTagName3.getTextContent());
                    }
                    findElementByTagName3.setTextContent(Util.base64encode(x509Certificate.getEncoded(), false));
                }
                if (z) {
                    return null;
                }
                Node findElementByTagName4 = XmlDomUtils.findElementByTagName(findElementByTagName2, Constants._TAG_X509SUBJECTNAME);
                if (findElementByTagName4 != null) {
                    findElementByTagName4.setTextContent(XmlUtil.escapeChars(x509Certificate.getSubjectX500Principal().getName()));
                }
                Node findElementByTagName5 = XmlDomUtils.findElementByTagName(findElementByTagName2, Constants._TAG_X509ISSUERNAME);
                if (findElementByTagName5 != null) {
                    findElementByTagName5.setTextContent(XmlUtil.escapeChars(x509Certificate.getIssuerX500Principal().getName()));
                }
                Node findElementByTagName6 = XmlDomUtils.findElementByTagName(findElementByTagName2, Constants._TAG_X509SERIALNUMBER);
                if (findElementByTagName6 != null) {
                    findElementByTagName6.setTextContent(String.valueOf(x509Certificate.getSerialNumber()));
                }
            }
            return null;
        } catch (Exception e) {
            throw new SignatureException(e);
        }
    }

    private void init() throws ObjectConversionException {
        Node node = this.signatureNode;
        if (node == null) {
            throw new ObjectConversionException("No Signature node");
        }
        Node findElementByTagName = XmlDomUtils.findElementByTagName(node, Constants._TAG_SIGNEDINFO);
        this.signedInfoNode = findElementByTagName;
        if (findElementByTagName == null) {
            throw new ObjectConversionException("No SignedInfo node");
        }
        Node findElementByTagName2 = XmlDomUtils.findElementByTagName(findElementByTagName, Constants._TAG_REFERENCE);
        this.referenceNode = findElementByTagName2;
        if (findElementByTagName2 == null) {
            throw new ObjectConversionException("No Reference node");
        }
        String attribute = XmlDomUtils.getAttribute(findElementByTagName2, "URI");
        if (attribute == null) {
            throw new ObjectConversionException("No Reference URI defined");
        }
        if (attribute.length() < 2 || attribute.charAt(0) != '#') {
            throw new ObjectConversionException("URI reference must begin with '#'");
        }
        String substring = attribute.substring(1);
        Node findElementById = XmlDomUtils.findElementById(this.document, substring);
        this.contentNode = findElementById;
        if (findElementById != null) {
            return;
        }
        throw new ObjectConversionException("Not found node with referenced ID: " + substring);
    }

    private void process(SignatureCredentials signatureCredentials, CertificateValidator certificateValidator) throws SignatureException, CertificateValidationException, CredentialsException {
        boolean z = signatureCredentials == null;
        if (z) {
            try {
                X509Certificate findCertificate = findCertificate();
                this.certificate = findCertificate;
                if (certificateValidator != null) {
                    certificateValidator.validate(findCertificate);
                }
            } catch (CertificateValidationException e) {
                throw e;
            } catch (Exception e2) {
                throw new CertificateValidationException(e2);
            }
        }
        byte[] calculateContentDigest = calculateContentDigest();
        Node findElementByTagName = XmlDomUtils.findElementByTagName(this.referenceNode, Constants._TAG_DIGESTVALUE);
        if (findElementByTagName == null) {
            throw new SignatureException("No DigestValue node");
        }
        if (z) {
            if ("1".equals(System.getProperty("eu.fisver.XmlSigner.test.verify.failDigest"))) {
                calculateContentDigest[0] = (byte) (calculateContentDigest[0] + 1);
            }
            if (!Arrays.equals(calculateContentDigest, Util.base64decode(findElementByTagName.getTextContent()))) {
                throw new SignatureException("Invalid digest value of referenced content");
            }
        } else {
            if ("1".equals(System.getProperty("eu.fisver.XmlSigner.test.sign.failDigest"))) {
                calculateContentDigest[0] = (byte) (calculateContentDigest[0] + 1);
            }
            findElementByTagName.setTextContent(Util.base64encode(calculateContentDigest));
        }
        byte[] canonicalize = canonicalize(this.signedInfoNode, readTransforms(this.signedInfoNode));
        Node findElementByTagName2 = XmlDomUtils.findElementByTagName(this.signatureNode, Constants._TAG_SIGNATUREVALUE);
        if (findElementByTagName2 == null) {
            throw new SignatureException("No SignatureValue node");
        }
        if (z) {
            byte[] base64decode = Util.base64decode(findElementByTagName2.getTextContent());
            if ("1".equals(System.getProperty("eu.fisver.XmlSigner.test.verify.failSignature"))) {
                base64decode[0] = (byte) (base64decode[0] + 1);
            }
            verifySignature(canonicalize, base64decode, this.certificate);
            return;
        }
        byte[] calculateSignature = calculateSignature(canonicalize, signatureCredentials.getPrivateKey());
        if ("1".equals(System.getProperty("eu.fisver.XmlSigner.test.sign.failSignature"))) {
            calculateSignature[0] = (byte) (calculateSignature[0] + 1);
        }
        findElementByTagName2.setTextContent(Util.base64encode(calculateSignature, false));
        writeCertificate(signatureCredentials.getCertificate());
    }

    private static List<C14NAlgorithm> readTransforms(Node node) throws SignatureException {
        ArrayList arrayList = new ArrayList();
        if (node != null) {
            NodeList childNodes = node.getChildNodes();
            for (int i = 0; i < childNodes.getLength(); i++) {
                Node item = childNodes.item(i);
                if (Constants._TAG_TRANSFORM.equals(item.getLocalName()) || Constants._TAG_CANONICALIZATIONMETHOD.equals(item.getLocalName())) {
                    String attribute = XmlDomUtils.getAttribute(item, "Algorithm");
                    if (attribute == null) {
                        throw new SignatureException("Missing Algorithm from " + item);
                    }
                    Node findElementByTagName = XmlDomUtils.findElementByTagName(item, InclusiveNamespaces._TAG_EC_INCLUSIVENAMESPACES);
                    arrayList.add(new C14NAlgorithm(attribute, findElementByTagName != null ? XmlDomUtils.getAttribute(findElementByTagName, InclusiveNamespaces._ATT_EC_PREFIXLIST) : null));
                }
            }
        }
        return arrayList;
    }

    private byte[] verifySignature(byte[] bArr, byte[] bArr2, X509Certificate x509Certificate) throws SignatureException, CredentialsException {
        return calculateSignatureOrVerify(bArr, bArr2, null, x509Certificate);
    }

    private void writeCertificate(X509Certificate x509Certificate) throws SignatureException {
        findOrWriteCertificate(x509Certificate);
    }

    public X509Certificate getCertificate() {
        return this.certificate;
    }

    public Node getContentNode() {
        return this.contentNode;
    }

    public Document getDocument() {
        return this.document;
    }

    public Node getSignatureNode() {
        return this.signatureNode;
    }

    public String sign(SignatureCredentials signatureCredentials) throws SignatureException, CredentialsException {
        try {
            process(signatureCredentials, null);
            return XmlDomUtils.documentToString(this.document);
        } catch (CertificateValidationException e) {
            throw new CredentialsException(e);
        } catch (ObjectConversionException e2) {
            throw new SignatureException(e2);
        }
    }

    public void verify() throws SignatureException, CertificateValidationException {
        verify(null);
    }

    public void verify(CertificateValidator certificateValidator) throws SignatureException, CertificateValidationException {
        try {
            process(null, certificateValidator);
        } catch (CredentialsException e) {
            throw new CertificateValidationException(e);
        }
    }
}
