package org.opensaml.xml.signature;

import java.security.Key;
import org.apache.log4j.Logger;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.signature.Reference;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.signature.XMLSignatureException;
import org.apache.xml.security.transforms.TransformationException;
import org.apache.xml.security.transforms.Transforms;
import org.apache.xml.security.utils.IdResolver;
import org.opensaml.common.SignableSAMLObject;
import org.opensaml.xml.util.DatatypeHelper;
import org.opensaml.xml.validation.ValidationException;
import org.opensaml.xml.validation.Validator;
import org.w3c.dom.Element;

/* loaded from: input_file:org/opensaml/xml/signature/SignatureValidator.class */
public class SignatureValidator implements Validator<Signature> {
    private static Logger log = Logger.getLogger(SignatureValidator.class);
    private Key verificationKey;

    public SignatureValidator(Key key) throws IllegalArgumentException {
        if (key == null) {
            throw new IllegalArgumentException("Verification key may not be null");
        }
        this.verificationKey = key;
    }

    @Override // org.opensaml.xml.validation.Validator
    public void validate(Signature signature) throws ValidationException {
        if (signature != null) {
            XMLSignature xMLSignature = signature.getXMLSignature();
            if (log.isDebugEnabled()) {
                log.debug("Attempting to validate digital signature using provided key");
            }
            try {
                if (!xMLSignature.checkSignatureValue(this.verificationKey)) {
                    if (log.isDebugEnabled()) {
                        log.debug("Digital signature could not be validated with given key");
                    }
                    throw new ValidationException("Digital signature does not validate with the given key");
                }
                if (log.isDebugEnabled()) {
                    log.debug("Digital signature validated successfully");
                }
                validateSignatureReference(signature, xMLSignature);
                if (log.isDebugEnabled()) {
                    log.debug("Digital signature reference checks complete");
                }
            } catch (XMLSignatureException e) {
                if (log.isDebugEnabled()) {
                    log.debug("Digital signature could not be validated with given key", e);
                }
                throw new ValidationException("Digital signature does not validate with the given key", e);
            }
        }
    }

    private void validateSignatureReference(Signature signature, XMLSignature xMLSignature) throws ValidationException {
        if (!(signature.getParent() instanceof SignableSAMLObject)) {
            if (log.isDebugEnabled()) {
                log.debug("Digital signature parent is not a SignableSAMLObject thus validation will not be performed");
                return;
            }
            return;
        }
        Reference reference = null;
        try {
            if (xMLSignature.getSignedInfo().getLength() == 1) {
                reference = xMLSignature.getSignedInfo().item(0);
            }
            if (reference == null) {
                if (log.isDebugEnabled()) {
                    log.debug("Digital signature reference null or contained more than one reference");
                }
                throw new ValidationException("Digital signature reference was not valid");
            }
            verifyReference(reference.getURI(), (SignableSAMLObject) signature.getParent());
            verifyTransforms(reference);
            verifyObjectChildren(xMLSignature);
        } catch (XMLSecurityException e) {
            if (log.isDebugEnabled()) {
                log.debug("XML Security exception obtaining reference", e);
            }
            throw new ValidationException("Exception obtaining digital signature reference", e);
        }
    }

    private void verifyReference(String str, SignableSAMLObject signableSAMLObject) throws ValidationException {
        verifyReferenceURI(str, signableSAMLObject.getSignatureReferenceID());
        if (DatatypeHelper.isEmpty(str)) {
            return;
        }
        Element dom = signableSAMLObject.getDOM();
        if (dom == null) {
            if (log.isDebugEnabled()) {
                log.debug("SignableSAMLObject does not have a DOM Element.");
            }
            throw new ValidationException("SignableSAMLObject does not have a DOM Element.");
        }
        Element elementById = IdResolver.getElementById(dom.getOwnerDocument(), str.substring(1));
        if (elementById == null || !dom.isSameNode(elementById)) {
            if (log.isDebugEnabled()) {
                log.debug("Digital signature reference did not resolve to the expected DOM Element, URI: " + str);
            }
            throw new ValidationException("Digital signature reference did not resolve to the expected DOM Element");
        }
    }

    private void verifyReferenceURI(String str, String str2) throws ValidationException {
        if (DatatypeHelper.isEmpty(str)) {
            return;
        }
        if (!str.startsWith("#")) {
            throw new ValidationException("Digital signature reference URI was not a document fragment reference");
        }
        if (DatatypeHelper.isEmpty(str2)) {
            throw new ValidationException("SignableSAMLObject did not contain an ID attribute");
        }
        if (str.length() < 2 || !str2.equals(str.substring(1))) {
            if (log.isDebugEnabled()) {
                log.debug("Digital signature reference URI did not point to parent ID: " + str2);
            }
            throw new ValidationException("Digital signature reference URI did not point to parent ID");
        }
    }

    private void verifyTransforms(Reference reference) throws ValidationException {
        try {
            Transforms transforms = reference.getTransforms();
            if (transforms == null) {
                throw new ValidationException("Digital signature transforms was not valid");
            }
            boolean z = false;
            int length = transforms.getLength();
            if (length <= 2) {
                for (int i = 0; i < length; i++) {
                    try {
                        String uri = transforms.item(i).getURI();
                        if ("http://www.w3.org/2000/09/xmldsig#enveloped-signature".equals(uri)) {
                            if (log.isDebugEnabled()) {
                                log.debug("Saw Enveloped signature transform");
                            }
                            z = true;
                        } else {
                            if (!"http://www.w3.org/2001/10/xml-exc-c14n#".equals(uri) && !"http://www.w3.org/2001/10/xml-exc-c14n#WithComments".equals(uri)) {
                                if (log.isDebugEnabled()) {
                                    log.debug("Digital signature contained an invalid transform: " + uri);
                                }
                                throw new ValidationException("Digital signature contained an invalid transform");
                            }
                            if (log.isDebugEnabled()) {
                                log.debug("Saw Exclusive C14N signature transform");
                            }
                        }
                    } catch (TransformationException e) {
                        if (log.isDebugEnabled()) {
                            log.debug("Error obtaining transform instance", e);
                        }
                        throw new ValidationException("Error obtaining transform instance", e);
                    }
                }
            }
            if (z) {
                return;
            }
            if (log.isDebugEnabled()) {
                log.debug("Digital signature did not contain the required transforms");
            }
            throw new ValidationException("Digital signature did not contain the required transforms");
        } catch (XMLSecurityException e2) {
            if (log.isDebugEnabled()) {
                log.debug("XML Security exception obtaining transforms", e2);
            }
            throw new ValidationException("Exception obtaining digital signature transforms", e2);
        }
    }

    private void verifyObjectChildren(XMLSignature xMLSignature) throws ValidationException {
        if (xMLSignature.getObjectLength() > 0) {
            throw new ValidationException("Digital signature contained ds:Object children");
        }
    }
}
