package com.alphawallet.token.tools;

import com.alphawallet.token.entity.XMLDsigVerificationResult;
import java.io.IOException;
import java.io.InputStream;
import java.security.InvalidAlgorithmParameterException;
import java.security.Key;
import java.security.KeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Security;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import javax.xml.crypto.AlgorithmMethod;
import javax.xml.crypto.KeySelector;
import javax.xml.crypto.KeySelectorException;
import javax.xml.crypto.KeySelectorResult;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.XMLCryptoContext;
import javax.xml.crypto.XMLStructure;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureException;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyName;
import javax.xml.crypto.dsig.keyinfo.KeyValue;
import javax.xml.crypto.dsig.keyinfo.X509Data;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import org.w3c.dom.DOMException;
import org.w3c.dom.Document;
import org.w3c.dom.NodeList;
import org.xml.sax.SAXException;

/* loaded from: input_file:com/alphawallet/token/tools/XMLDSigVerifier.class */
public class XMLDSigVerifier {

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/alphawallet/token/tools/XMLDSigVerifier$SigningCertSelector.class */
    public class SigningCertSelector extends KeySelector {
        private SigningCertSelector() {
        }

        public KeySelectorResult select(KeyInfo keyInfo, KeySelector.Purpose purpose, AlgorithmMethod algorithmMethod, XMLCryptoContext xMLCryptoContext) throws KeySelectorException {
            if (keyInfo == null) {
                throw new KeySelectorException("Null KeyInfo object!");
            }
            PublicKey publicKey = null;
            List<KeyValue> content = keyInfo.getContent();
            boolean z = false;
            for (KeyValue keyValue : content) {
                if (keyValue instanceof KeyValue) {
                    if (z) {
                        throw new KeySelectorException("Duplicate KeyValue");
                    }
                    z = true;
                    try {
                        publicKey = keyValue.getPublicKey();
                    } catch (KeyException e) {
                        e.printStackTrace();
                    }
                }
            }
            if (publicKey != null) {
                return new SimpleKeySelectorResult(publicKey);
            }
            try {
                X509Certificate selectSigningKeyFromXML = XMLDSigVerifier.this.selectSigningKeyFromXML(content);
                if (selectSigningKeyFromXML != null) {
                    return new SimpleKeySelectorResult(selectSigningKeyFromXML.getPublicKey());
                }
                throw new KeySelectorException("No KeyValue element found!");
            } catch (Exception e2) {
                throw new KeySelectorException(e2.getMessage());
            }
        }
    }

    /* loaded from: input_file:com/alphawallet/token/tools/XMLDSigVerifier$SimpleKeySelectorResult.class */
    private class SimpleKeySelectorResult implements KeySelectorResult {
        private PublicKey pk;

        SimpleKeySelectorResult(PublicKey publicKey) {
            this.pk = publicKey;
        }

        public Key getKey() {
            return this.pk;
        }
    }

    public XMLDsigVerificationResult VerifyXMLDSig(InputStream inputStream) {
        XMLDsigVerificationResult xMLDsigVerificationResult = new XMLDsigVerificationResult();
        try {
            XMLSignature validXMLSignature = getValidXMLSignature(inputStream);
            xMLDsigVerificationResult.isValid = true;
            return validateCertificateIssuer(validXMLSignature, xMLDsigVerificationResult);
        } catch (Exception e) {
            xMLDsigVerificationResult.isValid = false;
            xMLDsigVerificationResult.failureReason = e.getMessage();
            return xMLDsigVerificationResult;
        }
    }

    XMLSignature getValidXMLSignature(InputStream inputStream) throws ParserConfigurationException, IOException, SAXException, MarshalException, XMLSignatureException, DOMException {
        DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
        newInstance.setNamespaceAware(true);
        Document parse = newInstance.newDocumentBuilder().parse(inputStream);
        parse.getDocumentElement().normalize();
        NodeList elementsByTagNameNS = parse.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
        if (elementsByTagNameNS.getLength() == 0) {
            throw new DOMException((short) 1, "Missing elements");
        }
        XMLSignatureFactory xMLSignatureFactory = XMLSignatureFactory.getInstance("DOM");
        DOMValidateContext dOMValidateContext = new DOMValidateContext(new SigningCertSelector(), elementsByTagNameNS.item(0));
        XMLSignature unmarshalXMLSignature = xMLSignatureFactory.unmarshalXMLSignature(dOMValidateContext);
        if (unmarshalXMLSignature.validate(dOMValidateContext)) {
            return unmarshalXMLSignature;
        }
        throw new XMLSignatureException("Invalid XML signature");
    }

    private void validateCertificateChain(List<X509Certificate> list) throws NoSuchAlgorithmException, KeyStoreException, InvalidAlgorithmParameterException, CertificateException, CertPathValidatorException {
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init((KeyStore) null);
        X509TrustManager x509TrustManager = (X509TrustManager) trustManagerFactory.getTrustManagers()[0];
        CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
        HashSet hashSet = new HashSet();
        for (X509Certificate x509Certificate : x509TrustManager.getAcceptedIssuers()) {
            hashSet.add(new TrustAnchor(x509Certificate, null));
        }
        PKIXParameters pKIXParameters = new PKIXParameters(hashSet);
        Security.setProperty("ocsp.enable", "true");
        pKIXParameters.setRevocationEnabled(true);
        try {
            certPathValidator.validate(CertificateFactory.getInstance("X.509").generateCertPath(list), pKIXParameters);
        } catch (CertPathValidatorException e) {
            System.out.println(e.getIndex());
            if (e.getIndex() != 0) {
                throw e;
            }
        }
    }

    private X509Certificate findRootCert(List<X509Certificate> list) {
        X509Certificate x509Certificate = null;
        for (X509Certificate x509Certificate2 : list) {
            X509Certificate findSignerCertificate = findSignerCertificate(x509Certificate2, list);
            if (findSignerCertificate == null || findSignerCertificate.equals(x509Certificate2)) {
                x509Certificate = x509Certificate2;
                break;
            }
        }
        return x509Certificate;
    }

    private List<X509Certificate> reorderCertificateChain(List<X509Certificate> list) {
        X509Certificate[] x509CertificateArr = new X509Certificate[list.size()];
        int size = list.size() - 1;
        X509Certificate findRootCert = findRootCert(list);
        x509CertificateArr[size] = findRootCert;
        X509Certificate x509Certificate = findRootCert;
        while (true) {
            X509Certificate findSignedCert = findSignedCert(x509Certificate, list);
            x509Certificate = findSignedCert;
            if (findSignedCert == null || size <= 0) {
                break;
            }
            size--;
            x509CertificateArr[size] = x509Certificate;
        }
        return Arrays.asList(x509CertificateArr);
    }

    private X509Certificate findSignedCert(X509Certificate x509Certificate, List<X509Certificate> list) {
        X509Certificate x509Certificate2 = null;
        Iterator<X509Certificate> it = list.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            X509Certificate next = it.next();
            if (next.getIssuerDN().equals(x509Certificate.getSubjectDN()) && !next.equals(x509Certificate)) {
                x509Certificate2 = next;
                break;
            }
        }
        return x509Certificate2;
    }

    private X509Certificate findSignerCertificate(X509Certificate x509Certificate, List<X509Certificate> list) {
        X509Certificate x509Certificate2 = null;
        Iterator<X509Certificate> it = list.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            X509Certificate next = it.next();
            if (next.getSubjectDN().equals(x509Certificate.getIssuerDN())) {
                x509Certificate2 = next;
                break;
            }
        }
        return x509Certificate2;
    }

    private XMLDsigVerificationResult validateCertificateIssuer(XMLSignature xMLSignature, XMLDsigVerificationResult xMLDsigVerificationResult) {
        try {
            KeyInfo keyInfo = xMLSignature.getKeyInfo();
            List<X509Certificate> reorderCertificateChain = reorderCertificateChain(getCertificateChainFromXML(keyInfo.getContent()));
            X509Certificate selectSigningKeyFromXML = selectSigningKeyFromXML(keyInfo.getContent());
            validateCertificateChain(reorderCertificateChain);
            xMLDsigVerificationResult.issuerPrincipal = selectSigningKeyFromXML.getIssuerX500Principal().getName();
            xMLDsigVerificationResult.subjectPrincipal = selectSigningKeyFromXML.getSubjectX500Principal().getName();
            xMLDsigVerificationResult.keyType = selectSigningKeyFromXML.getSigAlgName();
            for (KeyName keyName : keyInfo.getContent()) {
                if (keyName instanceof KeyName) {
                    xMLDsigVerificationResult.keyName = keyName.getName();
                }
            }
        } catch (Exception e) {
            xMLDsigVerificationResult.isValid = false;
            xMLDsigVerificationResult.failureReason = e.getMessage();
        }
        return xMLDsigVerificationResult;
    }

    private List getCertificateChainFromXML(List list) throws KeyStoreException {
        boolean z = false;
        List list2 = null;
        for (int i = 0; i < list.size(); i++) {
            X509Data x509Data = (XMLStructure) list.get(i);
            if (x509Data instanceof X509Data) {
                if (z) {
                    throw new KeyStoreException("Duplicate X509Data element");
                }
                z = true;
                list2 = x509Data.getContent();
            }
        }
        return list2;
    }

    private PublicKey recoverPublicKeyFromXML(List list) throws KeyStoreException {
        boolean z = false;
        PublicKey publicKey = null;
        for (int i = 0; i < list.size(); i++) {
            KeyValue keyValue = (XMLStructure) list.get(i);
            if (keyValue instanceof KeyValue) {
                if (z) {
                    throw new KeyStoreException("Duplicate Key found");
                }
                z = true;
                try {
                    publicKey = keyValue.getPublicKey();
                } catch (KeyException e) {
                    e.printStackTrace();
                }
            }
        }
        return publicKey;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public X509Certificate selectSigningKeyFromXML(List list) throws KeyStoreException, CertificateNotYetValidException {
        PublicKey recoverPublicKeyFromXML = recoverPublicKeyFromXML(list);
        List<X509Certificate> reorderCertificateChain = reorderCertificateChain(getCertificateChainFromXML(list));
        for (X509Certificate x509Certificate : reorderCertificateChain) {
            try {
                x509Certificate.checkValidity();
                if (recoverPublicKeyFromXML != null) {
                    if (Arrays.equals(recoverPublicKeyFromXML.getEncoded(), x509Certificate.getPublicKey().getEncoded())) {
                        return x509Certificate;
                    }
                } else if (x509Certificate.getSigAlgName().equals("SHA256withECDSA")) {
                    return x509Certificate;
                }
            } catch (CertificateExpiredException e) {
                System.out.println("Allowing expired cert: " + e.getMessage());
            }
        }
        return reorderCertificateChain.get(0);
    }
}
