package com.adobe.forms.foundation.wsdl;

import com.adobe.icc.dbforms.util.DBConstants;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateEncodingException;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.UUID;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.dom.DOMStructure;
import javax.xml.crypto.dsig.CanonicalizationMethod;
import javax.xml.crypto.dsig.DigestMethod;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.Transform;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureException;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.crypto.dsig.spec.DigestMethodParameterSpec;
import javax.xml.crypto.dsig.spec.ExcC14NParameterSpec;
import javax.xml.crypto.dsig.spec.SignatureMethodParameterSpec;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPBody;
import javax.xml.soap.SOAPElement;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPFactory;
import javax.xml.soap.SOAPHeader;
import javax.xml.soap.SOAPMessage;
import javax.xml.xpath.XPathExpressionException;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/adobe/forms/foundation/wsdl/X509TokenSecurityProfileHandler.class */
public class X509TokenSecurityProfileHandler {
    private static final Logger LOGGER = LoggerFactory.getLogger(X509TokenSecurityProfileHandler.class);
    private static final String WSSE_URI = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
    private static final String WSU_URI = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
    private static final String XML_DSIG_URI = "http://www.w3.org/2000/09/xmldsig#";
    private static final String WSU_NS = "xmlns:wsu";
    private static final String ATTRIBUTE_NAME_VALUE_TYPE = "ValueType";
    private static final String ATTRIBUTE_NAME_ENCODING_TYPE = "EncodingType";
    private static final String ATTRIBUTE_VALUE_BASE64_BINARY_ENCODING_TYPE = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
    private static final String ATTRIBUTE_VALUE_VALUE_TYPE_X509V3 = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
    private static final String ATTRIBUTE_NAME_ID = "Id";
    private static final String ATTRIBUTE_NAME_URI = "URI";
    private static final String ELEMENT_NAME_BINARY_SECURITY_TOKEN = "BinarySecurityToken";
    private static final String ELEMENT_NAME_SECURITY = "Security";
    private static final String ELEMENT_NAME_TIMESTAMP = "Timestamp";
    private static final String ELEMENT_NAME_SECURITY_TOKEN_REFERENCE = "SecurityTokenReference";
    private static final String ELEMENT_NAME_REFERENCE = "Reference";
    private static final String ELEMENT_PREFIX_WSU = "wsu";
    private static final String ELEMENT_PREFIX_WSSE = "wsse";
    private static final String ELEMENT_PREFIX_DS = "ds";
    private static final String ELEMENT_PREFIX_EC = "ec";
    private static final String ATTRIBUTE_ID_PREFIX_TIMESTAMP = "Ts";
    private static final String ATTRIBUTE_ID_PREFIX_BODY = "Body";
    private static final String ATTRIBUTE_ID_PREFIX_X509_TOKEN = "X509Token";
    private static final String ATTRIBUTE_ID_PREFIX_REFERENCE = "Ref";
    private static final String ATTRIBUTE_ID_PREFIX_KEYINFO = "Ki";
    private static final String ATTRIBUTE_ID_PREFIX_SIGNATURE = "Si";
    private static final String ATTRIBUTE_ID_PREFIX_SIGNATUREVALUE = "Sv";

    public static boolean isX509TokenSecurityProfileEnabled(WSDLInvokerParams wSDLInvokerParams) {
        return (wSDLInvokerParams == null || wSDLInvokerParams.getX509TokenSecurityProfileSettings() == null || wSDLInvokerParams.getX509TokenSecurityProfileSettings().getCertificate() == null || wSDLInvokerParams.getX509TokenSecurityProfileSettings().getPrivateKey() == null) ? false : true;
    }

    private static void validateX509SecuritySettings(WSDLInvokerParams wSDLInvokerParams, SOAPMessage sOAPMessage) {
        if (!isX509TokenSecurityProfileEnabled(wSDLInvokerParams)) {
            throw new IllegalArgumentException("Unable to get X509TokenSecurity profile processing inputs");
        }
        X509TokenSecurityProfileSettings x509TokenSecurityProfileSettings = wSDLInvokerParams.getX509TokenSecurityProfileSettings();
        if (x509TokenSecurityProfileSettings.getCertificate() == null || x509TokenSecurityProfileSettings.getPrivateKey() == null) {
            throw new IllegalArgumentException("Unable to get Certificate/Private key");
        }
        if (x509TokenSecurityProfileSettings.isSignSecurityTimestampHeader()) {
            try {
                if (getSecurityTTLHeaderElement(sOAPMessage) == null) {
                    throw new IllegalArgumentException("Unable to get time-to-live security header");
                }
            } catch (SOAPException e) {
                throw new IllegalStateException("Unable to get security header");
            }
        }
        if (x509TokenSecurityProfileSettings.isSignBody() || x509TokenSecurityProfileSettings.isSignSecurityTimestampHeader()) {
            if (StringUtils.isBlank(x509TokenSecurityProfileSettings.getCanonicalizationAlgorithm()) || StringUtils.isBlank(x509TokenSecurityProfileSettings.getDigestAlgorithm()) || StringUtils.isBlank(x509TokenSecurityProfileSettings.getSignatureAlgorithm()) || StringUtils.isBlank(x509TokenSecurityProfileSettings.getTransformAlgorithm())) {
                throw new IllegalArgumentException("Unable to get required algorithms for sigining");
            }
        }
    }

    public static void handleX509TokenProfileSecurity(WSDLInvokerParams wSDLInvokerParams, SOAPMessage sOAPMessage) throws SOAPException, CertificateEncodingException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, MarshalException, XMLSignatureException, XPathExpressionException {
        long nanoTime = System.nanoTime();
        validateX509SecuritySettings(wSDLInvokerParams, sOAPMessage);
        X509TokenSecurityProfileSettings x509TokenSecurityProfileSettings = wSDLInvokerParams.getX509TokenSecurityProfileSettings();
        addBinarySecurityToken(x509TokenSecurityProfileSettings, sOAPMessage);
        if (x509TokenSecurityProfileSettings.isSignBody() || x509TokenSecurityProfileSettings.isSignSecurityTimestampHeader()) {
            signMessage(x509TokenSecurityProfileSettings, sOAPMessage);
        }
        sOAPMessage.saveChanges();
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("handleX509TokenProfileSecurity  time: {}ns", Long.valueOf(System.nanoTime() - nanoTime));
        }
    }

    private static void addBinarySecurityToken(X509TokenSecurityProfileSettings x509TokenSecurityProfileSettings, SOAPMessage sOAPMessage) throws SOAPException, CertificateEncodingException {
        SOAPElement securityHeaderElement = getSecurityHeaderElement(sOAPMessage);
        if (securityHeaderElement == null) {
            createSecurityHeaderElement(sOAPMessage);
            securityHeaderElement = getSecurityHeaderElement(sOAPMessage);
        }
        createBinarySecurityTokenHeader(securityHeaderElement, x509TokenSecurityProfileSettings);
    }

    private static void signMessage(X509TokenSecurityProfileSettings x509TokenSecurityProfileSettings, SOAPMessage sOAPMessage) throws SOAPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, MarshalException, XMLSignatureException, XPathExpressionException {
        assignWSUIds(x509TokenSecurityProfileSettings, sOAPMessage);
        createDetachedSignature(x509TokenSecurityProfileSettings, sOAPMessage);
    }

    private static CanonicalizationMethod getCanonicalizationMethod(X509TokenSecurityProfileSettings x509TokenSecurityProfileSettings, SOAPMessage sOAPMessage, XMLSignatureFactory xMLSignatureFactory) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException, SOAPException {
        C14NMethodParameterSpec c14NMethodParameterSpec = null;
        if ("http://www.w3.org/2001/10/xml-exc-c14n#".equals(x509TokenSecurityProfileSettings.getCanonicalizationAlgorithm()) || "http://www.w3.org/2001/10/xml-exc-c14n#WithComments".equals(x509TokenSecurityProfileSettings.getCanonicalizationAlgorithm())) {
            ArrayList arrayList = new ArrayList(3);
            arrayList.add(sOAPMessage.getSOAPHeader().getPrefix());
            arrayList.add(ELEMENT_PREFIX_WSU);
            arrayList.add(ELEMENT_PREFIX_EC);
            c14NMethodParameterSpec = new ExcC14NParameterSpec(arrayList);
        }
        return xMLSignatureFactory.newCanonicalizationMethod(x509TokenSecurityProfileSettings.getCanonicalizationAlgorithm(), c14NMethodParameterSpec);
    }

    private static List<Transform> getTransformsList(X509TokenSecurityProfileSettings x509TokenSecurityProfileSettings, SOAPMessage sOAPMessage, XMLSignatureFactory xMLSignatureFactory) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException, SOAPException {
        ExcC14NParameterSpec excC14NParameterSpec = null;
        ArrayList arrayList = new ArrayList(1);
        if ("http://www.w3.org/2001/10/xml-exc-c14n#".equals(x509TokenSecurityProfileSettings.getTransformAlgorithm())) {
            ArrayList arrayList2 = new ArrayList(2);
            arrayList2.add(sOAPMessage.getSOAPHeader().getPrefix());
            arrayList2.add(ELEMENT_PREFIX_EC);
            excC14NParameterSpec = new ExcC14NParameterSpec(arrayList2);
        }
        arrayList.add(xMLSignatureFactory.newTransform(x509TokenSecurityProfileSettings.getTransformAlgorithm(), excC14NParameterSpec));
        return arrayList;
    }

    private static XMLSignatureFactory getXMLSignatureFactory() {
        XMLSignatureFactory xMLSignatureFactory;
        try {
            xMLSignatureFactory = XMLSignatureFactory.getInstance("DOM");
        } catch (Exception e) {
            xMLSignatureFactory = XMLSignatureFactory.getInstance();
        }
        return xMLSignatureFactory;
    }

    private static void createDetachedSignature(X509TokenSecurityProfileSettings x509TokenSecurityProfileSettings, SOAPMessage sOAPMessage) throws SOAPException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, MarshalException, XMLSignatureException, XPathExpressionException {
        XMLSignatureFactory xMLSignatureFactory = getXMLSignatureFactory();
        SOAPElement securityHeaderElement = getSecurityHeaderElement(sOAPMessage);
        SOAPElement binarySecurityTokenHeader = getBinarySecurityTokenHeader(securityHeaderElement);
        SOAPElement sOAPElement = null;
        SOAPBody sOAPBody = sOAPMessage.getSOAPBody();
        String wSUId = getWSUId(binarySecurityTokenHeader);
        DigestMethod newDigestMethod = xMLSignatureFactory.newDigestMethod(x509TokenSecurityProfileSettings.getDigestAlgorithm(), (DigestMethodParameterSpec) null);
        List<Transform> transformsList = getTransformsList(x509TokenSecurityProfileSettings, sOAPMessage, xMLSignatureFactory);
        CanonicalizationMethod canonicalizationMethod = getCanonicalizationMethod(x509TokenSecurityProfileSettings, sOAPMessage, xMLSignatureFactory);
        ArrayList arrayList = new ArrayList();
        if (x509TokenSecurityProfileSettings.isSignBody()) {
            arrayList.add(xMLSignatureFactory.newReference("#" + getWSUId(sOAPBody), newDigestMethod, transformsList, (String) null, generateId(ATTRIBUTE_ID_PREFIX_REFERENCE)));
        }
        if (x509TokenSecurityProfileSettings.isSignSecurityTimestampHeader()) {
            sOAPElement = getSecurityTTLHeaderElement(securityHeaderElement);
            arrayList.add(xMLSignatureFactory.newReference("#" + getWSUId(sOAPElement), newDigestMethod, transformsList, (String) null, generateId(ATTRIBUTE_ID_PREFIX_REFERENCE)));
        }
        SignedInfo newSignedInfo = xMLSignatureFactory.newSignedInfo(canonicalizationMethod, xMLSignatureFactory.newSignatureMethod(x509TokenSecurityProfileSettings.getSignatureAlgorithm(), (SignatureMethodParameterSpec) null), arrayList);
        DOMSignContext dOMSignContext = new DOMSignContext(x509TokenSecurityProfileSettings.getPrivateKey(), securityHeaderElement);
        dOMSignContext.setDefaultNamespacePrefix(ELEMENT_PREFIX_DS);
        dOMSignContext.putNamespacePrefix(XML_DSIG_URI, ELEMENT_PREFIX_DS);
        if ("http://www.w3.org/2001/10/xml-exc-c14n#".equals(x509TokenSecurityProfileSettings.getCanonicalizationAlgorithm()) || "http://www.w3.org/2001/10/xml-exc-c14n#WithComments".equals(x509TokenSecurityProfileSettings.getCanonicalizationAlgorithm()) || "http://www.w3.org/2001/10/xml-exc-c14n#".equals(x509TokenSecurityProfileSettings.getTransformAlgorithm())) {
            dOMSignContext.putNamespacePrefix(x509TokenSecurityProfileSettings.getCanonicalizationAlgorithm(), ELEMENT_PREFIX_EC);
        }
        if (x509TokenSecurityProfileSettings.isSignBody()) {
            dOMSignContext.setIdAttributeNS(sOAPBody, WSU_URI, ATTRIBUTE_NAME_ID);
        }
        if (x509TokenSecurityProfileSettings.isSignSecurityTimestampHeader()) {
            dOMSignContext.setIdAttributeNS(sOAPElement, WSU_URI, ATTRIBUTE_NAME_ID);
        }
        XMLSignature newXMLSignature = xMLSignatureFactory.newXMLSignature(newSignedInfo, KeyInfoFactory.getInstance().newKeyInfo(Collections.singletonList(new DOMStructure(createSecurityTokenReferenceElement(securityHeaderElement, wSUId))), generateId(ATTRIBUTE_ID_PREFIX_KEYINFO)), (List) null, generateId(ATTRIBUTE_ID_PREFIX_SIGNATURE), generateId(ATTRIBUTE_ID_PREFIX_SIGNATUREVALUE));
        dOMSignContext.setBaseURI(DBConstants.DEFAULT_SEPARATOR);
        newXMLSignature.sign(dOMSignContext);
    }

    private static SOAPElement getSecurityHeaderElement(SOAPMessage sOAPMessage) throws SOAPException {
        SOAPHeader sOAPHeader = sOAPMessage.getSOAPHeader();
        QName qName = new QName(WSSE_URI, ELEMENT_NAME_SECURITY);
        if (sOAPHeader != null) {
            return getChildElement(sOAPHeader, qName);
        }
        return null;
    }

    private static SOAPElement getSecurityTTLHeaderElement(SOAPMessage sOAPMessage) throws SOAPException {
        SOAPElement securityHeaderElement = getSecurityHeaderElement(sOAPMessage);
        if (securityHeaderElement != null) {
            return getSecurityTTLHeaderElement(securityHeaderElement);
        }
        return null;
    }

    private static SOAPElement getSecurityTTLHeaderElement(SOAPElement sOAPElement) {
        return getChildElement(sOAPElement, new QName(WSU_URI, ELEMENT_NAME_TIMESTAMP));
    }

    private static SOAPElement createSecurityHeaderElement(SOAPMessage sOAPMessage) throws SOAPException {
        SOAPElement createElement = SOAPFactory.newInstance().createElement(ELEMENT_NAME_SECURITY, ELEMENT_PREFIX_WSSE, WSSE_URI);
        createElement.addAttribute(new QName(WSU_NS), WSU_URI);
        SOAPHeader sOAPHeader = sOAPMessage.getSOAPHeader();
        if (sOAPHeader == null) {
            sOAPHeader = sOAPMessage.getSOAPPart().getEnvelope().addHeader();
        }
        sOAPHeader.addChildElement(createElement);
        return createElement;
    }

    private static String createBinarySecurityTokenHeader(SOAPElement sOAPElement, X509TokenSecurityProfileSettings x509TokenSecurityProfileSettings) throws SOAPException, CertificateEncodingException {
        SOAPElement addChildElement = sOAPElement.addChildElement(ELEMENT_NAME_BINARY_SECURITY_TOKEN, ELEMENT_PREFIX_WSSE, WSSE_URI);
        addChildElement.addAttribute(new QName(ATTRIBUTE_NAME_ENCODING_TYPE), ATTRIBUTE_VALUE_BASE64_BINARY_ENCODING_TYPE);
        addChildElement.addAttribute(new QName(ATTRIBUTE_NAME_VALUE_TYPE), ATTRIBUTE_VALUE_VALUE_TYPE_X509V3);
        String addId = addId(ATTRIBUTE_ID_PREFIX_X509_TOKEN, addChildElement);
        addChildElement.addTextNode(Base64.getEncoder().encodeToString(x509TokenSecurityProfileSettings.getCertificate().getEncoded()));
        return addId;
    }

    private static SOAPElement getBinarySecurityTokenHeader(SOAPElement sOAPElement) {
        return getChildElement(sOAPElement, new QName(WSSE_URI, ELEMENT_NAME_BINARY_SECURITY_TOKEN));
    }

    private static String addIdToBody(SOAPMessage sOAPMessage) throws SOAPException {
        String generateId = generateId(ATTRIBUTE_ID_PREFIX_BODY);
        sOAPMessage.getSOAPBody().addAttribute(sOAPMessage.getSOAPPart().getEnvelope().createName(ATTRIBUTE_NAME_ID, ELEMENT_PREFIX_WSU, WSU_URI), generateId);
        return generateId;
    }

    private static String generateId(String str) {
        return str + "_" + UUID.randomUUID().toString();
    }

    private static String addId(String str, SOAPElement sOAPElement) throws SOAPException {
        String generateId = generateId(str);
        sOAPElement.addAttribute(new QName(WSU_URI, ATTRIBUTE_NAME_ID, ELEMENT_PREFIX_WSU), generateId);
        return generateId;
    }

    private static SOAPElement getChildElement(SOAPElement sOAPElement, QName qName) {
        Iterator childElements = sOAPElement.getChildElements(qName);
        if (childElements == null || !childElements.hasNext()) {
            return null;
        }
        return (SOAPElement) childElements.next();
    }

    private static String getAttributeValue(SOAPElement sOAPElement, QName qName) {
        return sOAPElement.getAttributeValue(qName);
    }

    private static String getWSUId(SOAPElement sOAPElement) {
        return getAttributeValue(sOAPElement, new QName(WSU_URI, ATTRIBUTE_NAME_ID));
    }

    private static SOAPElement createSecurityTokenReferenceElement(SOAPElement sOAPElement, String str) throws SOAPException {
        SOAPElement addChildElement = sOAPElement.addChildElement(ELEMENT_NAME_SECURITY_TOKEN_REFERENCE, ELEMENT_PREFIX_WSSE);
        SOAPElement addChildElement2 = addChildElement.addChildElement(ELEMENT_NAME_REFERENCE, ELEMENT_PREFIX_WSSE);
        addChildElement2.setAttribute(ATTRIBUTE_NAME_URI, "#" + str);
        addChildElement2.setAttribute(ATTRIBUTE_NAME_VALUE_TYPE, ATTRIBUTE_VALUE_VALUE_TYPE_X509V3);
        return addChildElement;
    }

    private static void assignWSUIds(X509TokenSecurityProfileSettings x509TokenSecurityProfileSettings, SOAPMessage sOAPMessage) throws SOAPException {
        if (x509TokenSecurityProfileSettings.isSignBody() && StringUtils.isBlank(getWSUId(sOAPMessage.getSOAPBody()))) {
            addIdToBody(sOAPMessage);
        }
        if (x509TokenSecurityProfileSettings.isSignSecurityTimestampHeader()) {
            SOAPElement securityTTLHeaderElement = getSecurityTTLHeaderElement(sOAPMessage);
            if (StringUtils.isBlank(getWSUId(securityTTLHeaderElement))) {
                addId(ATTRIBUTE_ID_PREFIX_TIMESTAMP, securityTTLHeaderElement);
            }
        }
    }
}
