package com.mulesoft.modules.cryptography.internal.xml.impl;

import com.mulesoft.modules.cryptography.api.jce.config.JceAsymmetricKeyInfo;
import com.mulesoft.modules.cryptography.api.xml.config.EphemeralKeyInfo;
import com.mulesoft.modules.cryptography.api.xml.config.XmlCanonicalizationAlgorithm;
import com.mulesoft.modules.cryptography.api.xml.config.XmlEncryptionAlgorithm;
import com.mulesoft.modules.cryptography.api.xml.config.XmlSignDigestAlgorithm;
import com.mulesoft.modules.cryptography.api.xml.config.XmlSignatureType;
import com.mulesoft.modules.cryptography.internal.errors.CryptoErrors;
import com.mulesoft.modules.cryptography.internal.jce.config.JceConfiguration;
import com.mulesoft.modules.cryptography.internal.xml.NodeListUtils;
import com.mulesoft.modules.cryptography.internal.xml.XMLUtils;
import com.mulesoft.modules.cryptography.internal.xml.config.XmlSignEncryptionAlgorithm;
import com.mulesoft.modules.cryptography.internal.xml.reference.SignatureContextProvider;
import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.security.Key;
import java.security.KeyStore;
import java.security.Security;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Optional;
import javax.xml.crypto.KeySelector;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureException;
import javax.xml.crypto.dsig.XMLValidateContext;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.crypto.dsig.spec.SignatureMethodParameterSpec;
import org.apache.commons.lang3.StringUtils;
import org.apache.xml.security.encryption.EncryptedData;
import org.apache.xml.security.encryption.EncryptedKey;
import org.apache.xml.security.encryption.XMLCipher;
import org.apache.xml.security.keys.KeyInfo;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.mule.runtime.api.i18n.I18nMessageFactory;
import org.mule.runtime.api.util.Pair;
import org.mule.runtime.core.api.util.IOUtils;
import org.mule.runtime.extension.api.exception.ModuleException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* loaded from: input_file:com/mulesoft/modules/cryptography/internal/xml/impl/XmlAsymmetricKeyImpl.class */
public class XmlAsymmetricKeyImpl extends XmlKeyImpl {
    public static final String DSIG_PREFIX = "dsig";
    private final JceConfiguration config;
    private final JceAsymmetricKeyInfo keyInfo;
    private final EphemeralKeyInfo ephemeralKeyInfo;
    private final boolean useInternalCertificate;

    public XmlAsymmetricKeyImpl(JceConfiguration jceConfiguration, JceAsymmetricKeyInfo jceAsymmetricKeyInfo, EphemeralKeyInfo ephemeralKeyInfo) {
        this(jceConfiguration, jceAsymmetricKeyInfo, ephemeralKeyInfo, false);
    }

    public XmlAsymmetricKeyImpl(JceConfiguration jceConfiguration, JceAsymmetricKeyInfo jceAsymmetricKeyInfo, boolean z) {
        this(jceConfiguration, jceAsymmetricKeyInfo, null, z);
    }

    public XmlAsymmetricKeyImpl(JceConfiguration jceConfiguration, JceAsymmetricKeyInfo jceAsymmetricKeyInfo, EphemeralKeyInfo ephemeralKeyInfo, boolean z) {
        this.config = jceConfiguration;
        this.keyInfo = jceAsymmetricKeyInfo;
        this.ephemeralKeyInfo = ephemeralKeyInfo;
        this.useInternalCertificate = z;
    }

    @Override // com.mulesoft.modules.cryptography.internal.xml.impl.XmlKeyImpl
    public InputStream encrypt(InputStream inputStream, XmlEncryptionAlgorithm xmlEncryptionAlgorithm, String str, boolean z) {
        Document documentBasedOnThe = XMLUtils.documentBasedOnThe(IOUtils.toByteArray(inputStream));
        try {
            if (StringUtils.isNotBlank(str)) {
                NodeList elements = XMLUtils.getElements(str, documentBasedOnThe);
                int length = elements.getLength();
                for (int i = 0; i < length; i++) {
                    encryptElement(xmlEncryptionAlgorithm, documentBasedOnThe, (Element) elements.item(i), z);
                }
            } else {
                encryptElement(xmlEncryptionAlgorithm, documentBasedOnThe, documentBasedOnThe.getDocumentElement(), z);
            }
            return new ByteArrayInputStream(XMLUtils.createXmlUsing(documentBasedOnThe));
        } catch (Exception e) {
            throw new ModuleException(I18nMessageFactory.createStaticMessage("Could not encrypt document"), CryptoErrors.ENCRYPTION, e);
        } catch (ModuleException e2) {
            throw e2;
        }
    }

    @Override // com.mulesoft.modules.cryptography.internal.xml.impl.XmlKeyImpl
    public InputStream decrypt(InputStream inputStream, String str) {
        Document documentBasedOnThe = XMLUtils.documentBasedOnThe(IOUtils.toByteArray(inputStream));
        Key privateKey = this.keyInfo.getPrivateKey(this.config.getKeystore());
        try {
            NodeList elementsByTagNameNS = org.mule.runtime.core.api.util.StringUtils.isBlank(str) ? documentBasedOnThe.getElementsByTagNameNS("http://www.w3.org/2001/04/xmlenc#", "EncryptedData") : XMLUtils.getElements(str, documentBasedOnThe);
            int length = elementsByTagNameNS.getLength();
            XMLCipher xMLCipher = XMLCipher.getInstance();
            xMLCipher.setKEK(privateKey);
            for (int i = 0; i < length; i++) {
                Element element = (Element) elementsByTagNameNS.item(0);
                if (!element.getLocalName().equals("EncryptedData") || !element.getNamespaceURI().equals("http://www.w3.org/2001/04/xmlenc#")) {
                    throw new RuntimeException("Trying to decrypt a non encrypted element. Invalid elementPath");
                }
                xMLCipher.init(2, (Key) null);
                xMLCipher.doFinal(documentBasedOnThe, element);
            }
            return new ByteArrayInputStream(XMLUtils.createXmlUsing(documentBasedOnThe));
        } catch (Exception e) {
            throw new ModuleException(I18nMessageFactory.createStaticMessage("Could not decrypt document"), CryptoErrors.DECRYPTION, e);
        } catch (ModuleException e2) {
            throw e2;
        }
    }

    @Override // com.mulesoft.modules.cryptography.internal.xml.impl.XmlKeyImpl
    public InputStream sign(InputStream inputStream, XmlSignDigestAlgorithm xmlSignDigestAlgorithm, XmlCanonicalizationAlgorithm xmlCanonicalizationAlgorithm, XmlSignatureType xmlSignatureType, String str) {
        Document documentBasedOnThe = XMLUtils.documentBasedOnThe(IOUtils.toByteArray(inputStream));
        SignatureContextProvider createContextFor = SignatureContextProvider.createContextFor(xmlSignatureType, xmlSignDigestAlgorithm, documentBasedOnThe, str);
        try {
            Document preProcess = createContextFor.preProcess(documentBasedOnThe);
            Reference reference = createContextFor.getReference();
            Key privateKey = this.keyInfo.getPrivateKey(this.config.getKeystore());
            XMLSignature newXMLSignature = fac.newXMLSignature(getSignedInfo(reference, xmlCanonicalizationAlgorithm, privateKey), getKeyInfo((KeyStore.PrivateKeyEntry) this.keyInfo.getEntry(this.config.getKeystore())), createContextFor.getReferencedObjects(), (String) null, (String) null);
            DOMSignContext dOMSignContext = new DOMSignContext(privateKey, createContextFor.getSignatureParentNode());
            dOMSignContext.setDefaultNamespacePrefix(DSIG_PREFIX);
            newXMLSignature.sign(dOMSignContext);
            return new ByteArrayInputStream(XMLUtils.createXmlUsing(createContextFor.postProcess(preProcess)));
        } catch (Exception e) {
            throw new ModuleException(I18nMessageFactory.createStaticMessage("Could not sign document"), CryptoErrors.SIGNATURE, e);
        } catch (ModuleException e2) {
            throw e2;
        }
    }

    @Override // com.mulesoft.modules.cryptography.internal.xml.impl.XmlKeyImpl
    public boolean validate(InputStream inputStream, String str) {
        try {
            Document documentBasedOnThe = XMLUtils.documentBasedOnThe(IOUtils.toByteArray(inputStream));
            NodeList elementsByTagNameNS = documentBasedOnThe.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
            if (elementsByTagNameNS.getLength() == 0) {
                throw new IllegalStateException("Could not find Signature element");
            }
            if (elementsByTagNameNS.getLength() > 1 && str == null) {
                throw new IllegalStateException(XMLUtils.MORE_THAN_ONE_SIGNATURE_FOUND);
            }
            Optional findFirst = NodeListUtils.toList(elementsByTagNameNS).stream().map(this::nodeToValidationContextAndSignature).filter(SignatureFilterSelector.forDocumentAndElementPath(documentBasedOnThe, str)).findFirst();
            if (findFirst.isPresent()) {
                return validateSignaturePair((Pair) findFirst.get());
            }
            throw new ModuleException(I18nMessageFactory.createStaticMessage("Could not find the targeted signature"), CryptoErrors.VALIDATION);
        } catch (ModuleException e) {
            throw e;
        } catch (Exception e2) {
            throw new ModuleException(I18nMessageFactory.createStaticMessage("Could not validate signature"), CryptoErrors.VALIDATION, e2);
        }
    }

    protected boolean validateSignaturePair(Pair<DOMValidateContext, XMLSignature> pair) throws XMLSignatureException {
        return ((XMLSignature) pair.getSecond()).validate((XMLValidateContext) pair.getFirst());
    }

    protected Pair<DOMValidateContext, XMLSignature> nodeToValidationContextAndSignature(Node node) {
        DOMValidateContext dOMValidateContext = new DOMValidateContext(getKeySelector(), node);
        try {
            return new Pair<>(dOMValidateContext, fac.unmarshalXMLSignature(dOMValidateContext));
        } catch (MarshalException e) {
            throw new ModuleException(I18nMessageFactory.createStaticMessage("Failed to extract signature for node"), CryptoErrors.VALIDATION);
        }
    }

    private KeySelector getKeySelector() {
        return this.useInternalCertificate ? new X509KeySelector(this.config.getKeystore().getUnderlyingKeyStore(), true) : KeySelector.singletonKeySelector(this.keyInfo.getPublicKey(this.config.getKeystore()));
    }

    private SignedInfo getSignedInfo(Reference reference, XmlCanonicalizationAlgorithm xmlCanonicalizationAlgorithm, Key key) throws Exception {
        String algorithm;
        if (key.getAlgorithm().toUpperCase().equals("RSA")) {
            algorithm = XmlSignEncryptionAlgorithm.RSA_SHA1.getAlgorithm();
        } else if (key.getAlgorithm().toUpperCase().equals("DSA")) {
            algorithm = XmlSignEncryptionAlgorithm.DSA_SHA1.getAlgorithm();
        } else {
            if (!key.getAlgorithm().toUpperCase().equals("EC")) {
                throw new ModuleException(I18nMessageFactory.createStaticMessage("Supported keys are RSA and DSA, but found " + key.getAlgorithm()), CryptoErrors.PARAMETERS);
            }
            algorithm = XmlSignEncryptionAlgorithm.ECDSA_SHA256.getAlgorithm();
        }
        return fac.newSignedInfo(fac.newCanonicalizationMethod(xmlCanonicalizationAlgorithm.getAlgorithm(), (C14NMethodParameterSpec) null), fac.newSignatureMethod(algorithm, (SignatureMethodParameterSpec) null), Collections.singletonList(reference));
    }

    private void encryptElement(XmlEncryptionAlgorithm xmlEncryptionAlgorithm, Document document, Element element, boolean z) throws Exception {
        Key publicKey = this.keyInfo.getPublicKey(this.config.getKeystore());
        Key createSymmetricKey = this.ephemeralKeyInfo.createSymmetricKey(xmlEncryptionAlgorithm);
        XMLCipher xMLCipher = XMLCipher.getInstance(this.ephemeralKeyInfo.getEncryptionAlgorithm().getAlgorithm(), this.ephemeralKeyInfo.getC14nAlgorithm().getAlgorithm(), this.ephemeralKeyInfo.getDigestAlgorithm().getAlgorithm());
        xMLCipher.init(3, publicKey);
        EncryptedKey encryptKey = xMLCipher.encryptKey(document, createSymmetricKey);
        KeyInfo keyInfo = new KeyInfo(document);
        keyInfo.addKeyName(this.keyInfo.getKeyId());
        encryptKey.setRecipient(this.keyInfo.getKeyId());
        encryptKey.setKeyInfo(keyInfo);
        XMLCipher xMLCipher2 = XMLCipher.getInstance(xmlEncryptionAlgorithm.getInfo().getAlgorithm(createSymmetricKey.getEncoded().length));
        xMLCipher2.init(1, createSymmetricKey);
        EncryptedData encryptedData = xMLCipher2.getEncryptedData();
        KeyInfo keyInfo2 = new KeyInfo(document);
        keyInfo2.add(encryptKey);
        encryptedData.setKeyInfo(keyInfo2);
        xMLCipher2.doFinal(document, element, z);
    }

    public javax.xml.crypto.dsig.keyinfo.KeyInfo getKeyInfo(KeyStore.PrivateKeyEntry privateKeyEntry) {
        X509Certificate x509Certificate = (X509Certificate) privateKeyEntry.getCertificate();
        KeyInfoFactory keyInfoFactory = fac.getKeyInfoFactory();
        ArrayList arrayList = new ArrayList();
        arrayList.add(x509Certificate.getSubjectX500Principal().getName());
        arrayList.add(x509Certificate);
        return keyInfoFactory.newKeyInfo(Collections.singletonList(keyInfoFactory.newX509Data(arrayList)));
    }

    static {
        if (Security.getProvider("BC") == null) {
            Security.addProvider(new BouncyCastleProvider());
        }
    }
}
