package com.helger.phase4.incoming.soap;

import com.helger.commons.ValueEnforcer;
import com.helger.commons.collection.impl.CommonsHashSet;
import com.helger.commons.collection.impl.ICommonsList;
import com.helger.commons.io.file.FileHelper;
import com.helger.commons.io.stream.HasInputStream;
import com.helger.commons.io.stream.StreamHelper;
import com.helger.commons.state.ESuccess;
import com.helger.commons.string.StringHelper;
import com.helger.phase4.CAS4;
import com.helger.phase4.attachment.WSS4JAttachment;
import com.helger.phase4.attachment.WSS4JAttachmentCallbackHandler;
import com.helger.phase4.config.AS4Configuration;
import com.helger.phase4.crypto.ECryptoAlgorithmSign;
import com.helger.phase4.crypto.ECryptoAlgorithmSignDigest;
import com.helger.phase4.crypto.ECryptoMode;
import com.helger.phase4.crypto.IAS4CryptoFactory;
import com.helger.phase4.crypto.IAS4DecryptParameterModifier;
import com.helger.phase4.ebms3header.Ebms3Error;
import com.helger.phase4.ebms3header.Ebms3UserMessage;
import com.helger.phase4.incoming.AS4IncomingMessageState;
import com.helger.phase4.model.error.EEbmsError;
import com.helger.phase4.model.pmode.IPMode;
import com.helger.phase4.model.pmode.leg.PModeLeg;
import com.helger.phase4.wss.WSSConfigManager;
import com.helger.phase4.wss.WSSSynchronizer;
import com.helger.xml.XMLHelper;
import java.io.File;
import java.io.IOException;
import java.security.Provider;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.List;
import java.util.Locale;
import java.util.Objects;
import java.util.function.Supplier;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.xml.namespace.QName;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.engine.WSSecurityEngine;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.RequestData;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:com/helger/phase4/incoming/soap/SoapHeaderElementProcessorWSS4J.class */
public class SoapHeaderElementProcessorWSS4J implements ISoapHeaderElementProcessor {
    public static final QName QNAME_SECURITY = new QName(CAS4.WSSE_NS, "Security");
    private static final Logger LOGGER = LoggerFactory.getLogger(SoapHeaderElementProcessorWSS4J.class);
    private final IAS4CryptoFactory m_aCryptoFactorySign;
    private final IAS4CryptoFactory m_aCryptoFactoryCrypt;
    private final Provider m_aSecurityProviderSignVerify;
    private final Supplier<? extends IPMode> m_aFallbackPModeProvider;
    private final IAS4DecryptParameterModifier m_aDecryptParameterModifier;

    public SoapHeaderElementProcessorWSS4J(@Nonnull IAS4CryptoFactory iAS4CryptoFactory, @Nonnull IAS4CryptoFactory iAS4CryptoFactory2, @Nullable Provider provider, @Nonnull Supplier<? extends IPMode> supplier, @Nullable IAS4DecryptParameterModifier iAS4DecryptParameterModifier) {
        ValueEnforcer.notNull(iAS4CryptoFactory, "CryptoFactorySign");
        ValueEnforcer.notNull(iAS4CryptoFactory2, "CryptoFactoryCrypt");
        ValueEnforcer.notNull(supplier, "FallbackPModeProvider");
        this.m_aCryptoFactorySign = iAS4CryptoFactory;
        this.m_aCryptoFactoryCrypt = iAS4CryptoFactory2;
        this.m_aSecurityProviderSignVerify = provider;
        this.m_aFallbackPModeProvider = supplier;
        this.m_aDecryptParameterModifier = iAS4DecryptParameterModifier;
    }

    @Nonnull
    private ESuccess _verifyAndDecrypt(@Nonnull Document document, @Nonnull ICommonsList<WSS4JAttachment> iCommonsList, @Nonnull AS4IncomingMessageState aS4IncomingMessageState, @Nonnull ICommonsList<Ebms3Error> iCommonsList2, @Nonnull Supplier<? extends WSSConfig> supplier) {
        X509Certificate x509Certificate;
        Locale locale = aS4IncomingMessageState.getLocale();
        try {
            AS4KeyStoreCallbackHandler aS4KeyStoreCallbackHandler = new AS4KeyStoreCallbackHandler(this.m_aCryptoFactoryCrypt);
            WSS4JAttachmentCallbackHandler wSS4JAttachmentCallbackHandler = new WSS4JAttachmentCallbackHandler(iCommonsList, aS4IncomingMessageState.getResourceHelper());
            WSSConfig wSSConfig = supplier.get();
            if (this.m_aDecryptParameterModifier != null) {
                if (LOGGER.isTraceEnabled()) {
                    LOGGER.trace("Before modifyWSSConfig");
                }
                this.m_aDecryptParameterModifier.modifyWSSConfig(wSSConfig);
                if (LOGGER.isTraceEnabled()) {
                    LOGGER.trace("After modifyWSSConfig");
                }
            }
            LOGGER.info("phase4 --- verify-decrypt:start");
            RequestData requestData = new RequestData();
            requestData.setCallbackHandler(aS4KeyStoreCallbackHandler);
            if (iCommonsList.isNotEmpty()) {
                requestData.setAttachmentCallbackHandler(wSS4JAttachmentCallbackHandler);
            }
            requestData.setSigVerCrypto(this.m_aCryptoFactorySign.getCrypto(ECryptoMode.DECRYPT_VERIFY));
            requestData.setDecCrypto(this.m_aCryptoFactoryCrypt.getCrypto(ECryptoMode.DECRYPT_VERIFY));
            requestData.setWssConfig(wSSConfig);
            requestData.setSignatureProvider(this.m_aSecurityProviderSignVerify);
            if (this.m_aDecryptParameterModifier != null) {
                if (LOGGER.isTraceEnabled()) {
                    LOGGER.trace("Before modifyRequestData");
                }
                this.m_aDecryptParameterModifier.modifyRequestData(requestData);
                if (LOGGER.isTraceEnabled()) {
                    LOGGER.trace("After modifyRequestData");
                }
            }
            WSSecurityEngine wSSecurityEngine = new WSSecurityEngine();
            wSSecurityEngine.setWssConfig(wSSConfig);
            List<WSSecurityEngineResult> results = wSSecurityEngine.processSecurityHeader(document, requestData).getResults();
            LOGGER.info("phase4 --- verify-decrypt:end");
            CommonsHashSet commonsHashSet = new CommonsHashSet();
            X509Certificate x509Certificate2 = null;
            int i = 0;
            for (WSSecurityEngineResult wSSecurityEngineResult : results) {
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("WSSecurityEngineResult: " + wSSecurityEngineResult);
                }
                Integer num = (Integer) wSSecurityEngineResult.get("action");
                int intValue = num != null ? num.intValue() : 0;
                i |= intValue;
                X509Certificate x509Certificate3 = (X509Certificate) wSSecurityEngineResult.get("x509-certificate");
                if (x509Certificate3 != null) {
                    commonsHashSet.add(x509Certificate3);
                    if (intValue == 4096 && x509Certificate2 == null) {
                        x509Certificate2 = x509Certificate3;
                    }
                }
            }
            aS4IncomingMessageState.setSoapWSS4JSecurityActions(i);
            if (commonsHashSet.size() <= 1) {
                x509Certificate = commonsHashSet.size() == 1 ? (X509Certificate) commonsHashSet.getAtIndex(0) : null;
            } else if (x509Certificate2 == null) {
                LOGGER.warn("Found " + commonsHashSet.size() + " different certificates in message. Using the first one.");
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("All gathered certificates: " + commonsHashSet);
                }
                x509Certificate = (X509Certificate) commonsHashSet.getAtIndex(0);
            } else {
                x509Certificate = x509Certificate2;
            }
            aS4IncomingMessageState.setUsedCertificate(x509Certificate);
            aS4IncomingMessageState.setDecryptedSoapDocument(document);
            LOGGER.info("phase4 --- attachment.storetemp:start");
            ICommonsList<WSS4JAttachment> allResponseAttachments = wSS4JAttachmentCallbackHandler.getAllResponseAttachments();
            for (WSS4JAttachment wSS4JAttachment : allResponseAttachments) {
                File createTempFile = aS4IncomingMessageState.getResourceHelper().createTempFile();
                if (StreamHelper.copyByteStream().from(wSS4JAttachment.getSourceStream()).closeFrom(true).to(FileHelper.getBufferedOutputStream(createTempFile)).closeTo(true).build().isFailure()) {
                    LOGGER.error("Failed to write response attachment to temporary file '" + createTempFile.getAbsolutePath() + "'");
                }
                wSS4JAttachment.setSourceStreamProvider(HasInputStream.multiple(() -> {
                    return FileHelper.getBufferedInputStream(createTempFile);
                }));
            }
            aS4IncomingMessageState.setDecryptedAttachments(allResponseAttachments);
            LOGGER.info("phase4 --- attachment.storetemp:end");
            return ESuccess.SUCCESS;
        } catch (IOException e) {
            LOGGER.error("IO error processing the WSSSecurity Header", e);
            iCommonsList2.add(EEbmsError.EBMS_OTHER.errorBuilder(locale).errorDetail("IO error processing the WSSSecurity Header", e).m120build());
            aS4IncomingMessageState.setSoapWSS4JException(e);
            return ESuccess.FAILURE;
        } catch (IllegalStateException | IndexOutOfBoundsException | WSSecurityException e2) {
            LOGGER.error("Error processing the WSSSecurity Header", e2);
            iCommonsList2.add(EEbmsError.EBMS_FAILED_DECRYPTION.errorBuilder(locale).errorDetail("Error processing the WSSSecurity Header", e2).m120build());
            aS4IncomingMessageState.setSoapWSS4JException(e2);
            return ESuccess.FAILURE;
        }
    }

    @Override // com.helger.phase4.incoming.soap.ISoapHeaderElementProcessor
    @Nonnull
    public ESuccess processHeaderElement(@Nonnull Document document, @Nonnull Element element, @Nonnull ICommonsList<WSS4JAttachment> iCommonsList, @Nonnull AS4IncomingMessageState aS4IncomingMessageState, @Nonnull ICommonsList<Ebms3Error> iCommonsList2) {
        ESuccess _verifyAndDecrypt;
        IPMode pMode = aS4IncomingMessageState.getPMode();
        if (pMode == null) {
            pMode = this.m_aFallbackPModeProvider.get();
        }
        if (pMode == null) {
            throw new IllegalStateException("No PMode contained in AS4 state - seems like Ebms3 Messaging header is missing!");
        }
        Locale locale = aS4IncomingMessageState.getLocale();
        PModeLeg leg1 = pMode.getLeg1();
        Ebms3UserMessage ebmsUserMessage = aS4IncomingMessageState.getEbmsUserMessage();
        if (ebmsUserMessage != null && StringHelper.hasText(ebmsUserMessage.getMessageInfo().getRefToMessageId())) {
            leg1 = pMode.getLeg2();
        }
        if (leg1.getSecurity() != null) {
            Element firstChildElementOfName = XMLHelper.getFirstChildElementOfName(element, CAS4.DS_NS, "Signature");
            if (firstChildElementOfName != null) {
                Element firstChildElementOfName2 = XMLHelper.getFirstChildElementOfName(firstChildElementOfName, CAS4.DS_NS, "SignedInfo");
                Element firstChildElementOfName3 = XMLHelper.getFirstChildElementOfName(firstChildElementOfName2, CAS4.DS_NS, "SignatureMethod");
                String attribute = firstChildElementOfName3 == null ? null : firstChildElementOfName3.getAttribute("Algorithm");
                ECryptoAlgorithmSign fromURIOrNull = ECryptoAlgorithmSign.getFromURIOrNull(attribute);
                if (fromURIOrNull == null) {
                    String str = "Error processing the Security Header, your signing algorithm '" + attribute + "' is incorrect. Expected one of the following '" + Arrays.toString(ECryptoAlgorithmSign.values()) + "' algorithms";
                    LOGGER.error(str);
                    iCommonsList2.add(EEbmsError.EBMS_FAILED_AUTHENTICATION.errorBuilder(locale).errorDetail(str).m120build());
                    return ESuccess.FAILURE;
                }
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("Using signature algorithm " + fromURIOrNull);
                }
                Element firstChildElementOfName4 = XMLHelper.getFirstChildElementOfName(XMLHelper.getFirstChildElementOfName(firstChildElementOfName2, CAS4.DS_NS, "Reference"), CAS4.DS_NS, "DigestMethod");
                ECryptoAlgorithmSignDigest fromURIOrNull2 = ECryptoAlgorithmSignDigest.getFromURIOrNull(firstChildElementOfName4 == null ? null : firstChildElementOfName4.getAttribute("Algorithm"));
                if (fromURIOrNull2 == null) {
                    String str2 = "Error processing the Security Header - the signing digest algorithm is incorrect. Expected one of the following algorithms: '" + Arrays.toString(ECryptoAlgorithmSignDigest.values()) + "'";
                    LOGGER.error(str2);
                    iCommonsList2.add(EEbmsError.EBMS_FAILED_AUTHENTICATION.errorBuilder(locale).errorDetail(str2).m120build());
                    return ESuccess.FAILURE;
                }
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("Using signature digest algorithm " + fromURIOrNull2);
                }
            }
            if (ebmsUserMessage != null) {
                boolean isSoapBodyPayloadPresent = aS4IncomingMessageState.isSoapBodyPayloadPresent();
                for (int i = 0; i < iCommonsList.size(); i++) {
                    String str3 = (String) ((WSS4JAttachment) iCommonsList.get(i)).getHeaders().get("Content-ID");
                    if (StringHelper.hasNoText(str3)) {
                        LOGGER.error("The provided attachment ID in the 'Content-ID' header may not be empty.");
                        iCommonsList2.add(EEbmsError.EBMS_VALUE_INCONSISTENT.errorBuilder(locale).errorDetail("The provided attachment ID in the 'Content-ID' header may not be empty.").m120build());
                        return ESuccess.FAILURE;
                    }
                    if (!str3.startsWith(WSS4JAttachment.CONTENT_ID_PREFIX)) {
                        String str4 = "The provided attachment ID '" + str3 + "' in the 'Content-ID' header does not start with the required prefix '<attachment='";
                        LOGGER.error(str4);
                        iCommonsList2.add(EEbmsError.EBMS_VALUE_INCONSISTENT.errorBuilder(locale).errorDetail(str4).m120build());
                        return ESuccess.FAILURE;
                    }
                    if (!str3.endsWith(WSS4JAttachment.CONTENT_ID_SUFFIX)) {
                        String str5 = "The provided attachment ID '" + str3 + "' in the 'Content-ID' header does not end with the required suffix '>'";
                        LOGGER.error(str5);
                        iCommonsList2.add(EEbmsError.EBMS_VALUE_INCONSISTENT.errorBuilder(locale).errorDetail(str5).m120build());
                        return ESuccess.FAILURE;
                    }
                    String substring = str3.substring(WSS4JAttachment.CONTENT_ID_PREFIX.length(), str3.length() - WSS4JAttachment.CONTENT_ID_SUFFIX.length());
                    String href = ebmsUserMessage.getPayloadInfo().getPartInfoAtIndex((isSoapBodyPayloadPresent ? 1 : 0) + i).getHref();
                    if (!href.contains(substring)) {
                        String str6 = "The usermessage part information '" + href + "' does not reference the respective attachment ID '" + substring + "'";
                        LOGGER.error(str6);
                        iCommonsList2.add(EEbmsError.EBMS_VALUE_INCONSISTENT.errorBuilder(locale).errorDetail(str6).m120build());
                        return ESuccess.FAILURE;
                    }
                }
            }
            if (AS4Configuration.isWSS4JSynchronizedSecurity()) {
                _verifyAndDecrypt = (ESuccess) WSSSynchronizer.call(() -> {
                    return _verifyAndDecrypt(document, iCommonsList, aS4IncomingMessageState, iCommonsList2, WSSConfigManager::createStaticWSSConfig);
                });
            } else {
                WSSConfigManager wSSConfigManager = WSSConfigManager.getInstance();
                Objects.requireNonNull(wSSConfigManager);
                _verifyAndDecrypt = _verifyAndDecrypt(document, iCommonsList, aS4IncomingMessageState, iCommonsList2, wSSConfigManager::createWSSConfig);
            }
            if (_verifyAndDecrypt.isFailure()) {
                return ESuccess.FAILURE;
            }
        } else if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("PMode leg has no security defined - skipping Verification and Decryption step");
        }
        return ESuccess.SUCCESS;
    }
}
