package org.warlock.tk.internalservices;

import java.io.ByteArrayInputStream;
import java.io.CharArrayReader;
import java.io.FileInputStream;
import java.io.InputStreamReader;
import java.io.StringWriter;
import java.security.KeyStore;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.Properties;
import javax.xml.crypto.dom.DOMStructure;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.Transform;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.crypto.dsig.spec.DigestMethodParameterSpec;
import javax.xml.crypto.dsig.spec.SignatureMethodParameterSpec;
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
import javax.xml.crypto.dsig.spec.XPathFilterParameterSpec;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.digest.MessageDigestAlgorithms;
import org.apache.xerces.impl.xs.SchemaSymbols;
import org.safehaus.uuid.UUIDGenerator;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.warlock.tk.boot.ServiceResponse;
import org.warlock.tk.boot.ToolkitService;
import org.warlock.tk.boot.ToolkitSimulator;
import org.warlock.util.CfHNamespaceContext;
import org.warlock.util.configurator.Configurator;
import org.warlock.util.dsig.DOMURIdereferencer;
import org.warlock.util.dsig.SimpleKeySelector;
import org.warlock.util.xsltransform.TransformManager;
import org.xml.sax.InputSource;

/* loaded from: input_file:tkwinstaller/TKW.zip:TKW/TKW.jar:org/warlock/tk/internalservices/SignerService.class */
public class SignerService implements ToolkitService, Reconfigurable {
    private static final String PASSPROPERTY = "tks.signer.storepassword";
    private static final String KEYPASS = "tks.signer.keypassword";
    private static final String STOREFILE = "tks.signer.keystore";
    private static final String KEYALIAS = "tks.signer.keyalias";
    private static final String ALWAYSACCEPT = "tks.signer.alwaysacceptsignature";
    private static final String SHOWRESOLVEDREFERENCE = "tks.signer.showreference";
    private static final String SHOWREFERENCE = "dereferencer.showreference";
    private static final String MUSTUNDERSTANDSECURITY = "tks.signer.mustunderstandsecurity";
    private static final String BREAKUNAME = "tks.signer.break.usernametoken";
    private static final String BREAKDIGEST = "tks.signer.break.digestvalue";
    private static final String BREAKSIGVAL = "tks.signer.break.signaturevalue";
    private static final String BREAKCERT = "tks.signer.break.certificate";
    private static final String BREAKTIMESTAMP = "tks.signer.break.timestamp";
    private static final String DIGESTALGORITHM = "tks.signer.digestalgorithm";
    private static final int SHA1 = 0;
    private static final int SHA256 = 1;
    private static final int SHA512 = 2;
    private static final int B64BUFFERSIZE = 1000;
    private static final int B64CHUNKSIZE = 64;
    private static final int KEYIDMAXSIZE = 1024;
    private static XPathFilterParameterSpec TIMESTAMPXPATH;
    private static SimpleDateFormat ISO8601FORMATDATE = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'");
    private static final String[] ALGORITHMS = {MessageDigestAlgorithms.SHA_1, MessageDigestAlgorithms.SHA_256, MessageDigestAlgorithms.SHA_512};
    private static final HashMap<String, String> namespaces = new HashMap<>();
    private int digestAlgorithm = 0;
    private boolean alwaysAccept = false;
    private boolean showReference = false;
    private String serviceName = null;
    private ToolkitSimulator simulator = null;
    private Properties bootProperties = null;
    private HashMap<String, String> table = null;
    private KeyStore keystore = null;
    private X509Certificate certificate = null;
    private String storePass = null;
    private String keyalias = null;

    @Override // org.warlock.tk.boot.ToolkitService
    public Properties getBootProperties() {
        return this.bootProperties;
    }

    @Override // org.warlock.tk.internalservices.Reconfigurable
    public void reconfigure(Properties properties) throws Exception {
        boot(this.simulator, properties, this.serviceName);
    }

    @Override // org.warlock.tk.internalservices.Reconfigurable
    public String reconfigure(String str, String str2) throws Exception {
        return null;
    }

    @Override // org.warlock.tk.boot.ToolkitService
    public void boot(ToolkitSimulator toolkitSimulator, Properties properties, String str) throws Exception {
        this.bootProperties = properties;
        this.serviceName = str;
        this.simulator = toolkitSimulator;
        String property = this.bootProperties.getProperty(SHOWRESOLVEDREFERENCE);
        if (property != null && property.toLowerCase().startsWith("y")) {
            this.showReference = true;
            System.setProperty(SHOWREFERENCE, "Y");
        }
        String property2 = this.bootProperties.getProperty(PASSPROPERTY);
        if (property2 == null) {
            property2 = "";
        }
        String property3 = this.bootProperties.getProperty(KEYPASS);
        if (property3 == null) {
            property3 = "";
        }
        String property4 = this.bootProperties.getProperty("tks.signer.keystore");
        if (property4 == null) {
            throw new Exception("No keystore filename property tks.signer.keystore in properties file");
        }
        this.keystore = KeyStore.getInstance("JKS");
        this.keystore.load(new FileInputStream(property4), property2.toCharArray());
        String property5 = this.bootProperties.getProperty(KEYALIAS);
        if (property5 == null) {
            throw new Exception("No key alias property tks.signer.keyalias in properties file");
        }
        KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) this.keystore.getEntry(property5, new KeyStore.PasswordProtection(property3.toCharArray()));
        if (privateKeyEntry == null) {
            throw new Exception("Failed to initialise Signer service: Key alias " + property5 + " not found in keystore " + property4);
        }
        this.certificate = (X509Certificate) privateKeyEntry.getCertificate();
        String property6 = this.bootProperties.getProperty(ALWAYSACCEPT);
        if (property6 != null && property6.toUpperCase().startsWith("Y")) {
            this.alwaysAccept = true;
        }
        String property7 = this.bootProperties.getProperty(DIGESTALGORITHM);
        if (property7 == null || property7.trim().length() == 0) {
            return;
        }
        int i = 0;
        while (true) {
            if (i >= ALGORITHMS.length) {
                break;
            }
            if (property7.toUpperCase().contentEquals(ALGORITHMS[i])) {
                this.digestAlgorithm = i;
                break;
            }
            i++;
        }
        System.out.println("Signer using Digest Algorithm: " + ALGORITHMS[this.digestAlgorithm]);
    }

    @Override // org.warlock.tk.boot.ToolkitService
    public ServiceResponse execute(Object obj) throws Exception {
        return new ServiceResponse(0, null);
    }

    @Override // org.warlock.tk.boot.ToolkitService
    public ServiceResponse execute(String str, String str2) throws Exception {
        if (str.contentEquals("sign")) {
            try {
                return new ServiceResponse(0, sign(str2));
            } catch (Exception e) {
                throw new Exception("Exception caught trying to sign :" + e.getMessage());
            }
        }
        try {
            return new ServiceResponse(verify(str2) ? 1 : 0, null);
        } catch (Exception e2) {
            throw new Exception("Exception caught trying to verify :" + e2.getMessage());
        }
    }

    @Override // org.warlock.tk.boot.ToolkitService
    public ServiceResponse execute(String str, Object obj) throws Exception {
        return new ServiceResponse(0, null);
    }

    private String breakCryptographicString(String str) {
        if (str == null) {
            return str;
        }
        if (str.length() == 0) {
            return "X";
        }
        char[] charArray = str.toCharArray();
        for (int i = 0; i < 5 && i != charArray.length; i++) {
            charArray[i] = charArray[i] != 'A' ? 'A' : 'B';
        }
        return new String(charArray);
    }

    private boolean checkBreak(String str) {
        if (str == null) {
            return false;
        }
        try {
            String configuration = Configurator.getConfigurator().getConfiguration(str);
            if (configuration != null) {
                return configuration.toLowerCase().startsWith("y");
            }
            String property = this.bootProperties.getProperty(str);
            if (property == null) {
                return false;
            }
            return property.toLowerCase().startsWith("y");
        } catch (Exception e) {
            System.err.println("Count not resolve configurator: ");
            System.err.println(e.toString());
            return false;
        }
    }

    private Element getElementByNameNS(Node node, String str, String str2) {
        if (node == null) {
            return null;
        }
        NodeList childNodes = node.getChildNodes();
        for (int i = 0; i < childNodes.getLength(); i++) {
            Node item = childNodes.item(i);
            if (item.getNodeType() == 1) {
                if (item.getLocalName().contentEquals(str2)) {
                    if (str == null && item.getNamespaceURI() == null) {
                        return (Element) item;
                    }
                    if (str != null && item.getNamespaceURI().contentEquals(str)) {
                        return (Element) item;
                    }
                }
                Element elementByNameNS = getElementByNameNS((Element) item, str, str2);
                if (elementByNameNS != null) {
                    return elementByNameNS;
                }
            }
        }
        return null;
    }

    private Element doBreakChecks(Element element) throws Exception {
        if (checkBreak(BREAKUNAME)) {
            Element element2 = (Element) element.getElementsByTagNameNS(CfHNamespaceContext.SECEXT, "Username").item(0);
            element2.setTextContent(breakCryptographicString(element2.getTextContent()));
        }
        if (checkBreak(BREAKDIGEST)) {
            Element element3 = (Element) element.getElementsByTagNameNS(CfHNamespaceContext.DSNAMESPACE, "DigestValue").item(0);
            element3.setTextContent(breakCryptographicString(element3.getTextContent()));
        }
        if (checkBreak(BREAKSIGVAL)) {
            Element element4 = (Element) element.getElementsByTagNameNS(CfHNamespaceContext.DSNAMESPACE, "SignatureValue").item(0);
            element4.setTextContent(breakCryptographicString(element4.getTextContent()));
        }
        if (checkBreak(BREAKCERT)) {
            Element element5 = (Element) element.getElementsByTagNameNS(CfHNamespaceContext.SECEXT, "BinarySecurityToken").item(0);
            element5.setTextContent(breakCryptographicString(element5.getTextContent()));
        }
        if (checkBreak(BREAKTIMESTAMP)) {
            Element element6 = (Element) element.getElementsByTagNameNS(CfHNamespaceContext.SECUTIL, "Timestamp").item(0);
            Calendar calendar = Calendar.getInstance();
            calendar.setTime(new Date());
            calendar.add(10, 1);
            element6.setTextContent(ISO8601FORMATDATE.format(calendar.getTime()));
        }
        return element;
    }

    private String sign(String str) throws Exception {
        DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
        newInstance.setNamespaceAware(true);
        newInstance.setIgnoringComments(true);
        Document parse = newInstance.newDocumentBuilder().parse(new InputSource(new CharArrayReader(str.toCharArray())));
        Node item = parse.getElementsByTagNameNS(CfHNamespaceContext.SECEXT, "Security").item(0);
        XMLSignatureFactory xMLSignatureFactory = XMLSignatureFactory.getInstance("DOM");
        String str2 = "uuid_" + UUIDGenerator.getInstance().generateTimeBasedUUID().toString().toUpperCase();
        Transform newTransform = xMLSignatureFactory.newTransform("http://www.w3.org/2001/10/xml-exc-c14n#", (TransformParameterSpec) null);
        Reference reference = null;
        switch (this.digestAlgorithm) {
            case 0:
                reference = xMLSignatureFactory.newReference("#" + str2, xMLSignatureFactory.newDigestMethod("http://www.w3.org/2000/09/xmldsig#sha1", (DigestMethodParameterSpec) null), Collections.singletonList(newTransform), (String) null, (String) null);
                break;
            case 1:
                reference = xMLSignatureFactory.newReference("#" + str2, xMLSignatureFactory.newDigestMethod("http://www.w3.org/2001/04/xmlenc#sha256", (DigestMethodParameterSpec) null), Collections.singletonList(newTransform), (String) null, (String) null);
                break;
            case 2:
                reference = xMLSignatureFactory.newReference("#" + str2, xMLSignatureFactory.newDigestMethod("http://www.w3.org/2001/04/xmlenc#sha512", (DigestMethodParameterSpec) null), Collections.singletonList(newTransform), (String) null, (String) null);
                break;
        }
        Element element = (Element) parse.getElementsByTagNameNS(CfHNamespaceContext.SECUTIL, "Timestamp").item(0);
        element.setAttributeNS(CfHNamespaceContext.SECUTIL, "wsu:Id", str2);
        Node item2 = parse.getElementsByTagNameNS(CfHNamespaceContext.SECEXT, "UsernameToken").item(0);
        ((Element) parse.getElementsByTagNameNS(CfHNamespaceContext.SECEXT, "Username").item(0)).setTextContent(this.certificate.getSubjectX500Principal().getName());
        SignedInfo newSignedInfo = xMLSignatureFactory.newSignedInfo(xMLSignatureFactory.newCanonicalizationMethod("http://www.w3.org/2001/10/xml-exc-c14n#", (C14NMethodParameterSpec) null), xMLSignatureFactory.newSignatureMethod("http://www.w3.org/2000/09/xmldsig#rsa-sha1", (SignatureMethodParameterSpec) null), Collections.singletonList(reference));
        KeyInfoFactory keyInfoFactory = xMLSignatureFactory.getKeyInfoFactory();
        ArrayList arrayList = new ArrayList();
        arrayList.add(this.certificate.getSubjectX500Principal().getName());
        arrayList.add(this.certificate);
        KeyInfo newKeyInfo = keyInfoFactory.newKeyInfo(Collections.singletonList(keyInfoFactory.newX509Data(arrayList)), UUIDGenerator.getInstance().generateTimeBasedUUID().toString());
        String property = this.bootProperties.getProperty(KEYALIAS);
        if (property == null) {
            throw new Exception("No key alias property tks.signer.keyalias in properties file");
        }
        String property2 = this.bootProperties.getProperty(KEYPASS);
        if (property2 == null) {
            property2 = "";
        }
        DOMSignContext dOMSignContext = new DOMSignContext(((KeyStore.PrivateKeyEntry) this.keystore.getEntry(property, new KeyStore.PasswordProtection(property2.toCharArray()))).getPrivateKey(), item);
        dOMSignContext.setURIDereferencer(new DOMURIdereferencer());
        xMLSignatureFactory.newXMLSignature(newSignedInfo, newKeyInfo).sign(dOMSignContext);
        Element createElementNS = parse.createElementNS(CfHNamespaceContext.SECEXT, "Security");
        String property3 = this.bootProperties.getProperty(MUSTUNDERSTANDSECURITY);
        if (property3 != null && property3.toLowerCase().startsWith("y")) {
            createElementNS.setAttributeNS(CfHNamespaceContext.SOAPENVNAMESPACE, "soap:mustUnderstand", SchemaSymbols.ATTVAL_TRUE_1);
        }
        createElementNS.appendChild(element);
        createElementNS.appendChild(item2);
        Element createElementNS2 = parse.createElementNS(CfHNamespaceContext.SECEXT, "BinarySecurityToken");
        createElementNS2.setAttribute("EncodingType", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary");
        createElementNS2.setAttribute("ValueType", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3");
        createElementNS2.setAttributeNS(CfHNamespaceContext.SECUTIL, "wsu:Id", newKeyInfo.getId());
        StringWriter stringWriter = new StringWriter();
        writeBase64(stringWriter, new Base64().encode(this.certificate.getEncoded()));
        createElementNS2.setTextContent(stringWriter.toString());
        createElementNS.appendChild(createElementNS2);
        Element createElementNS3 = parse.createElementNS(CfHNamespaceContext.DSNAMESPACE, "Signature");
        Node node = (Element) parse.getElementsByTagNameNS(CfHNamespaceContext.DSNAMESPACE, "SignedInfo").item(0);
        Node node2 = (Element) parse.getElementsByTagNameNS(CfHNamespaceContext.DSNAMESPACE, "SignatureValue").item(0);
        createElementNS3.appendChild(node);
        createElementNS3.appendChild(node2);
        Element createElementNS4 = parse.createElementNS(CfHNamespaceContext.DSNAMESPACE, "KeyInfo");
        Element createElementNS5 = parse.createElementNS(CfHNamespaceContext.SECEXT, "SecurityTokenReference");
        Element createElementNS6 = parse.createElementNS(CfHNamespaceContext.SECEXT, "Reference");
        createElementNS6.setAttribute("URI", "#" + newKeyInfo.getId());
        createElementNS6.setAttribute("ValueType", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3");
        createElementNS5.appendChild(createElementNS6);
        createElementNS4.appendChild(createElementNS5);
        createElementNS3.appendChild(createElementNS4);
        createElementNS.appendChild(createElementNS3);
        parse.getElementsByTagNameNS(CfHNamespaceContext.SOAPENVNAMESPACE, "Header").item(0).replaceChild(doBreakChecks(createElementNS), item);
        StringWriter stringWriter2 = new StringWriter();
        TransformManager.getInstance().getTransformerFactory().newTransformer().transform(new DOMSource(parse), new StreamResult(stringWriter2));
        return stringWriter2.toString();
    }

    private void writeBase64(StringWriter stringWriter, byte[] bArr) throws Exception {
        for (int i = 0; i < bArr.length; i++) {
            if (i != 0 && i % 64 == 0) {
                stringWriter.write("\n");
            }
            stringWriter.write(bArr[i]);
        }
        stringWriter.write("\n");
        stringWriter.flush();
    }

    private boolean verify(String str) throws Exception {
        if (this.alwaysAccept) {
            return true;
        }
        DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
        newInstance.setNamespaceAware(true);
        Document parse = newInstance.newDocumentBuilder().parse(new InputSource(new CharArrayReader(str.toCharArray())));
        Node item = parse.getElementsByTagNameNS(CfHNamespaceContext.SECEXT, "BinarySecurityToken").item(0);
        Node item2 = parse.getElementsByTagNameNS(CfHNamespaceContext.SECEXT, "Username").item(0);
        NodeList childNodes = item.getChildNodes();
        String str2 = null;
        int i = 0;
        while (true) {
            if (i >= childNodes.getLength()) {
                break;
            }
            Node item3 = childNodes.item(i);
            if (item3.getNodeType() == 3) {
                str2 = item3.getNodeValue();
                break;
            }
            i++;
        }
        if (str2 == null) {
            throw new Exception("Unable to resolve encoded certificate in <BinarySecurityToken>");
        }
        StringBuilder sb = new StringBuilder("-----BEGIN CERTIFICATE-----\n");
        sb.append(str2);
        if (str2.charAt(str2.length() - 1) != '\n') {
            sb.append("\n");
        }
        sb.append("-----END CERTIFICATE-----");
        sb.toString();
        X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(sb.toString().getBytes()));
        SimpleKeySelector simpleKeySelector = new SimpleKeySelector();
        simpleKeySelector.setFixedKey(x509Certificate.getPublicKey());
        String name = x509Certificate.getSubjectX500Principal().getName();
        if (name == null) {
            throw new Exception("No owner name in message signing certificate!");
        }
        if (item2 == null) {
            throw new Exception("User name not present");
        }
        String textContent = item2.getTextContent();
        if (!textContent.toUpperCase().startsWith("CN=")) {
            name = name.substring(3);
        }
        if (!name.contentEquals(textContent)) {
            System.err.println("Rejecting message: Username/certificate owner mismatch: Username: " + textContent + " / Certificate: " + name);
            throw new Exception("User name and certificate owner do not match");
        }
        Node item4 = parse.getElementsByTagNameNS(CfHNamespaceContext.SECEXT, "Security").item(0);
        DOMStructure dOMStructure = new DOMStructure(parse.getElementsByTagNameNS(CfHNamespaceContext.DSNAMESPACE, "Signature").item(0));
        XMLSignatureFactory xMLSignatureFactory = XMLSignatureFactory.getInstance("DOM");
        DOMValidateContext dOMValidateContext = new DOMValidateContext(simpleKeySelector, item4);
        dOMValidateContext.setProperty("javax.xml.crypto.dsig.cacheReference", Boolean.TRUE);
        dOMValidateContext.setURIDereferencer(new DOMURIdereferencer());
        XMLSignature unmarshalXMLSignature = xMLSignatureFactory.unmarshalXMLSignature(dOMStructure);
        boolean validate = unmarshalXMLSignature.validate(dOMValidateContext);
        if (!validate) {
            if (!unmarshalXMLSignature.getSignatureValue().validate(dOMValidateContext)) {
                System.err.println("Signature validation failed");
                return false;
            }
            int i2 = 0;
            for (Reference reference : unmarshalXMLSignature.getSignedInfo().getReferences()) {
                if (!reference.validate(dOMValidateContext)) {
                    System.err.println("Reference " + i2 + " is invalid");
                    InputStreamReader inputStreamReader = new InputStreamReader(reference.getDigestInputStream());
                    char[] cArr = new char[10240];
                    inputStreamReader.read(cArr);
                    System.err.println(cArr);
                }
                i2++;
            }
        }
        return validate;
    }

    static {
        TIMESTAMPXPATH = null;
        namespaces.put("soap", CfHNamespaceContext.SOAPENVNAMESPACE);
        namespaces.put("dsig", CfHNamespaceContext.DSNAMESPACE);
        namespaces.put("wsa", CfHNamespaceContext.WSASPINENAMESPACE);
        namespaces.put("wsse", CfHNamespaceContext.SECEXT);
        namespaces.put("wsu", CfHNamespaceContext.SECUTIL);
        namespaces.put("wss", CfHNamespaceContext.WSSECURITY);
        TIMESTAMPXPATH = new XPathFilterParameterSpec("//wsu:Timestamp", namespaces);
    }
}
