package no.digipost.signature.client.asice.signature;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.Certificate;
import java.time.Clock;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.stream.Stream;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.URIDereferencer;
import javax.xml.crypto.dom.DOMStructure;
import javax.xml.crypto.dsig.CanonicalizationMethod;
import javax.xml.crypto.dsig.DigestMethod;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.SignatureMethod;
import javax.xml.crypto.dsig.Transform;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureException;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.crypto.dsig.spec.DigestMethodParameterSpec;
import javax.xml.crypto.dsig.spec.SignatureMethodParameterSpec;
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
import javax.xml.transform.dom.DOMSource;
import javax.xml.validation.Schema;
import no.digipost.signature.client.core.exceptions.ConfigurationException;
import no.digipost.signature.client.core.exceptions.XmlConfigurationException;
import no.digipost.signature.client.core.exceptions.XmlValidationException;
import no.digipost.signature.client.security.KeyStoreConfig;
import org.springframework.core.io.ClassPathResource;
import org.springframework.core.io.Resource;
import org.springframework.xml.validation.SchemaLoaderUtils;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.xml.sax.SAXException;

/* loaded from: input_file:no/digipost/signature/client/asice/signature/CreateSignature.class */
public class CreateSignature {
    private static final String C14V1 = "http://www.w3.org/TR/2001/REC-xml-c14n-20010315";
    private static final String ASIC_NAMESPACE = "http://uri.etsi.org/2918/v1.2.1#";
    private static final String SIGNED_PROPERTIES_TYPE = "http://uri.etsi.org/01903#SignedProperties";
    private final DigestMethod sha256DigestMethod;
    private final CanonicalizationMethod canonicalizationMethod;
    private final Transform canonicalXmlTransform;
    private final DomUtils domUtils = new DomUtils();
    private final CreateXAdESArtifacts createXAdESArtifacts;
    private final Schema schema;

    public CreateSignature(Clock clock) {
        this.createXAdESArtifacts = new CreateXAdESArtifacts(clock);
        try {
            XMLSignatureFactory signatureFactory = getSignatureFactory();
            this.sha256DigestMethod = signatureFactory.newDigestMethod("http://www.w3.org/2001/04/xmlenc#sha256", (DigestMethodParameterSpec) null);
            this.canonicalizationMethod = signatureFactory.newCanonicalizationMethod(C14V1, (C14NMethodParameterSpec) null);
            this.canonicalXmlTransform = signatureFactory.newTransform(C14V1, (TransformParameterSpec) null);
            this.schema = loadSchema();
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException e) {
            throw new ConfigurationException("Failed to initialize XML-signing", e);
        }
    }

    private Schema loadSchema() {
        try {
            return SchemaLoaderUtils.loadSchema(new Resource[]{new ClassPathResource("/thirdparty/xmldsig-core-schema.xsd"), new ClassPathResource("/thirdparty/ts_102918v010201.xsd")}, "http://www.w3.org/2001/XMLSchema");
        } catch (IOException | SAXException e) {
            throw new ConfigurationException("Failed to load schemas for validating signatures", e);
        }
    }

    public Signature createSignature(List<? extends SignableFileReference> list, KeyStoreConfig keyStoreConfig) {
        return new Signature(this.domUtils.serializeToXml(createXmlSignature(list, keyStoreConfig)));
    }

    protected Document createXmlSignature(List<? extends SignableFileReference> list, KeyStoreConfig keyStoreConfig) {
        XMLSignatureFactory signatureFactory = getSignatureFactory();
        SignatureMethod signatureMethod = getSignatureMethod(signatureFactory);
        XAdESArtifacts createArtifactsToSign = this.createXAdESArtifacts.createArtifactsToSign(list, keyStoreConfig.getCertificate());
        List<Reference> references = references(signatureFactory, list);
        references.add(signatureFactory.newReference(createArtifactsToSign.signablePropertiesReferenceUri, this.sha256DigestMethod, Collections.singletonList(this.canonicalXmlTransform), SIGNED_PROPERTIES_TYPE, (String) null));
        XMLSignature newXMLSignature = signatureFactory.newXMLSignature(signatureFactory.newSignedInfo(this.canonicalizationMethod, signatureMethod, references), keyInfo(signatureFactory, keyStoreConfig.getCertificateChain()), Collections.singletonList(signatureFactory.newXMLObject(Collections.singletonList(new DOMStructure(createArtifactsToSign.document.getDocumentElement())), (String) null, (String) null, (String) null)), "Signature", (String) null);
        Document newEmptyXmlDocument = this.domUtils.newEmptyXmlDocument();
        DOMSignContext dOMSignContext = new DOMSignContext(keyStoreConfig.getPrivateKey(), addXAdESSignaturesElement(newEmptyXmlDocument));
        dOMSignContext.setURIDereferencer(signedPropertiesURIDereferencer(createArtifactsToSign, signatureFactory));
        try {
            newXMLSignature.sign(dOMSignContext);
            try {
                this.schema.newValidator().validate(new DOMSource(newEmptyXmlDocument));
                return newEmptyXmlDocument;
            } catch (IOException | SAXException e) {
                throw new XmlValidationException("Failed to validate generated signature.xml because " + e.getClass().getSimpleName() + ": '" + e.getMessage() + "'. Verify that the input is valid and that there are no illegal symbols in file names etc.", e);
            }
        } catch (XMLSignatureException e2) {
            throw new XmlConfigurationException("Failed to sign ASiC-E element.", e2);
        } catch (MarshalException e3) {
            throw new XmlConfigurationException("failed to read ASiC-E XML for signing", e3);
        }
    }

    private URIDereferencer signedPropertiesURIDereferencer(XAdESArtifacts xAdESArtifacts, XMLSignatureFactory xMLSignatureFactory) {
        return (uRIReference, xMLCryptoContext) -> {
            if (!xAdESArtifacts.signablePropertiesReferenceUri.equals(uRIReference.getURI())) {
                return xMLSignatureFactory.getURIDereferencer().dereference(uRIReference, xMLCryptoContext);
            }
            Stream<Node> allNodesBelow = this.domUtils.allNodesBelow(xAdESArtifacts.signableProperties);
            allNodesBelow.getClass();
            return allNodesBelow::iterator;
        };
    }

    private static Element addXAdESSignaturesElement(Document document) {
        return (Element) document.appendChild(document.createElementNS(ASIC_NAMESPACE, "XAdESSignatures"));
    }

    private static SignatureMethod getSignatureMethod(XMLSignatureFactory xMLSignatureFactory) {
        try {
            return xMLSignatureFactory.newSignatureMethod("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", (SignatureMethodParameterSpec) null);
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException e) {
            throw new ConfigurationException("Failed to initialize XML-signing", e);
        }
    }

    private List<Reference> references(XMLSignatureFactory xMLSignatureFactory, List<? extends SignableFileReference> list) {
        ArrayList arrayList = new ArrayList();
        for (int i = 0; i < list.size(); i++) {
            try {
                arrayList.add(xMLSignatureFactory.newReference(URLEncoder.encode(list.get(i).getFileName(), "UTF-8"), this.sha256DigestMethod, (List) null, (String) null, "ID_" + i, list.get(i).getSha256()));
            } catch (UnsupportedEncodingException e) {
                throw new RuntimeException(e);
            }
        }
        return arrayList;
    }

    private static KeyInfo keyInfo(XMLSignatureFactory xMLSignatureFactory, Certificate[] certificateArr) {
        KeyInfoFactory keyInfoFactory = xMLSignatureFactory.getKeyInfoFactory();
        return keyInfoFactory.newKeyInfo(Collections.singletonList(keyInfoFactory.newX509Data(Arrays.asList(certificateArr))));
    }

    private static XMLSignatureFactory getSignatureFactory() {
        try {
            return XMLSignatureFactory.getInstance("DOM", "XMLDSig");
        } catch (NoSuchProviderException e) {
            throw new ConfigurationException("Failed to find XML Digital Signature provided. The library depends on default Java-provider");
        }
    }
}
