package com.helger.peppol.httpclient;

import com.helger.commons.ValueEnforcer;
import com.helger.commons.collection.ArrayHelper;
import com.helger.commons.io.stream.NonBlockingByteArrayInputStream;
import com.helger.commons.io.stream.StreamHelper;
import com.helger.jaxb.GenericJAXBMarshaller;
import com.helger.peppol.smpclient.SMPClientConfiguration;
import com.helger.peppol.smpclient.exception.SMPClientBadResponseException;
import com.helger.xml.serialize.read.DOMReader;
import java.io.IOException;
import java.io.InputStream;
import java.util.Iterator;
import javax.annotation.Nonnull;
import javax.annotation.WillNotClose;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureException;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import org.apache.http.HttpEntity;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.NodeList;

/* loaded from: input_file:WEB-INF/lib/peppol-smp-client-7.0.6.jar:com/helger/peppol/httpclient/SMPHttpResponseHandlerSigned.class */
public class SMPHttpResponseHandlerSigned<T> extends AbstractSMPResponseHandler<T> {
    public static final boolean DEFAULT_CHECK_CERTIFICATE = true;
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) SMPHttpResponseHandlerSigned.class);
    private final GenericJAXBMarshaller<T> m_aMarshaller;
    private boolean m_bCheckCertificate = true;

    public SMPHttpResponseHandlerSigned(@Nonnull GenericJAXBMarshaller<T> genericJAXBMarshaller) {
        this.m_aMarshaller = (GenericJAXBMarshaller) ValueEnforcer.notNull(genericJAXBMarshaller, "Marshaller");
    }

    @Nonnull
    public final SMPHttpResponseHandlerSigned<T> setCheckCertificate(boolean z) {
        this.m_bCheckCertificate = z;
        return this;
    }

    public final boolean isCheckCertificate() {
        return this.m_bCheckCertificate;
    }

    private static boolean _checkSignature(@Nonnull @WillNotClose InputStream inputStream) throws MarshalException, XMLSignatureException {
        NodeList elementsByTagNameNS = DOMReader.readXMLDOM(inputStream).getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
        if (elementsByTagNameNS == null || elementsByTagNameNS.getLength() == 0) {
            throw new IllegalArgumentException("Element <Signature> not found in SMP XML response");
        }
        DOMValidateContext dOMValidateContext = new DOMValidateContext(new TrustStoreBasedX509KeySelector(SMPClientConfiguration.getTrustStoreType(), SMPClientConfiguration.getTrustStorePath(), SMPClientConfiguration.getTrustStorePassword()), elementsByTagNameNS.item(0));
        XMLSignature unmarshalXMLSignature = XMLSignatureFactory.getInstance("DOM").unmarshalXMLSignature(dOMValidateContext);
        boolean validate = unmarshalXMLSignature.validate(dOMValidateContext);
        if (!validate) {
            LOGGER.info("Signature failed core validation");
            boolean validate2 = unmarshalXMLSignature.getSignatureValue().validate(dOMValidateContext);
            if (LOGGER.isInfoEnabled()) {
                LOGGER.info("  Signature value valid: " + validate2);
            }
            if (!validate2) {
                int i = 0;
                Iterator it = unmarshalXMLSignature.getSignedInfo().getReferences().iterator();
                while (it.hasNext()) {
                    boolean validate3 = ((Reference) it.next()).validate(dOMValidateContext);
                    if (LOGGER.isInfoEnabled()) {
                        LOGGER.info("  Reference[" + i + "] validity status: " + (validate3 ? "valid" : "NOT valid!"));
                    }
                    i++;
                }
            }
        }
        return validate;
    }

    @Override // com.helger.peppol.httpclient.AbstractSMPResponseHandler
    @Nonnull
    public T handleEntity(@Nonnull HttpEntity httpEntity) throws SMPClientBadResponseException, IOException {
        byte[] allBytes = StreamHelper.getAllBytes(httpEntity.getContent());
        if (ArrayHelper.isEmpty(allBytes)) {
            throw new SMPClientBadResponseException("Could not read SMP server response content");
        }
        if (this.m_bCheckCertificate) {
            try {
                NonBlockingByteArrayInputStream nonBlockingByteArrayInputStream = new NonBlockingByteArrayInputStream(allBytes);
                Throwable th = null;
                try {
                    try {
                        if (!_checkSignature(nonBlockingByteArrayInputStream)) {
                            throw new SMPClientBadResponseException("Signature returned from SMP server was not valid");
                        }
                        if (nonBlockingByteArrayInputStream != null) {
                            if (0 != 0) {
                                try {
                                    nonBlockingByteArrayInputStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                nonBlockingByteArrayInputStream.close();
                            }
                        }
                    } finally {
                    }
                } finally {
                }
            } catch (Exception e) {
                throw new SMPClientBadResponseException("Error in validating signature returned from SMP server", e);
            }
        } else {
            LOGGER.error("SMP response certificate checking is disabled. This should not happen in production systems!");
        }
        T read = this.m_aMarshaller.read(allBytes);
        if (read == null) {
            throw new SMPClientBadResponseException("Malformed XML document returned from SMP server");
        }
        return read;
    }
}
