package be.iminds.ilabt.jfed.lowlevel;

import be.iminds.ilabt.jfed.lowlevel.authority.AuthorityListModel;
import be.iminds.ilabt.jfed.lowlevel.authority.SfaAuthority;
import be.iminds.ilabt.jfed.util.GeniUrn;
import be.iminds.ilabt.jfed.util.JFedTrustStore;
import be.iminds.ilabt.jfed.util.KeyUtil;
import be.iminds.ilabt.jfed.util.RFC3339Util;
import be.iminds.ilabt.jfed.util.XmlUtil;
import java.io.IOException;
import java.io.StringReader;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.text.ParseException;
import java.util.Date;
import java.util.Random;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.TransformerException;
import org.apache.http.cookie.ClientCookie;
import org.apache.xml.security.Init;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.keys.storage.StorageResolver;
import org.apache.xml.security.keys.storage.implementations.KeyStoreResolver;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.utils.Constants;
import org.apache.xml.security.utils.ElementProxy;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Attr;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.w3c.dom.Text;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;

/* loaded from: input_file:be/iminds/ilabt/jfed/lowlevel/SfaCredential.class */
public class SfaCredential extends AnyCredential {
    public static boolean debug_expiredate_forceZinsteadOfZero;
    public static boolean debug_expiredate_forcezulu;
    public static boolean debug_expiredate_discardsubsecond;
    public static boolean debug_expiredate_smalltz;
    private static Logger LOG;
    private static Random random;
    private Document xmlDoc;
    private String type;
    private String ownerUrn;
    private String targetUrn;
    private String ownerGid;
    private String targetGid;
    private String expires;
    private Date expiresDate;
    static final /* synthetic */ boolean $assertionsDisabled;

    public SfaCredential(String str, String str2) throws CredentialException {
        this(str, str2, "geni_sfa", "2");
    }

    public SfaCredential(String str, String str2, String str3, String str4) throws CredentialException {
        super(str, str2, str3, str4);
        if (!$assertionsDisabled && !str3.equalsIgnoreCase("sfa") && !str3.equalsIgnoreCase("geni_sfa")) {
            throw new AssertionError("Created SfaCredential not of type sfa, but of type=\"" + str3 + "\" version=\"" + str4 + "\"");
        }
        if (str2 == null) {
            throw new CredentialException("AnyCredential credentialXml may not be null");
        }
        initDoc();
        parseXml();
    }

    private static Element addElementHelper(Document document, Element element, String str, String str2) {
        Element createElement = document.createElement(str);
        if (str2 != null) {
            createElement.appendChild(document.createTextNode(str2));
        }
        element.appendChild(createElement);
        return createElement;
    }

    public static SfaCredential create(String str, String str2, String str3, X509Certificate x509Certificate, X509Certificate x509Certificate2, X509Certificate x509Certificate3, PrivateKey privateKey, Date date, String str4, boolean z, String str5) throws CredentialException {
        DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
        newInstance.setNamespaceAware(true);
        try {
            Document newDocument = newInstance.newDocumentBuilder().newDocument();
            Element createElement = newDocument.createElement("signed-credential");
            createElement.setAttributeNS("http://www.w3.org/2001/XMLSchema-instance", "xsi:noNamespaceSchemaLocation", "http://www.protogeni.net/resources/credential/credential.xsd");
            createElement.setAttributeNS("http://www.w3.org/2001/XMLSchema-instance", "xsi:schemaLocation", "http://www.protogeni.net/resources/credential/ext/policy/1 http://www.protogeni.net/resources/credential/ext/policy/1/policy.xsd");
            newDocument.appendChild(createElement);
            Element createElement2 = newDocument.createElement("credential");
            Attr createAttribute = newDocument.createAttribute("xml:id");
            String str6 = "cred" + random.nextInt();
            createAttribute.setValue(str6);
            createElement2.setAttributeNode(createAttribute);
            createElement2.setIdAttributeNode(createAttribute, true);
            createElement.appendChild(createElement2);
            addElementHelper(newDocument, createElement2, "type", str);
            addElementHelper(newDocument, createElement2, "serial", "" + Math.random());
            addElementHelper(newDocument, createElement2, "owner_gid", KeyUtil.x509certificateToCredentialXmlGid(x509Certificate));
            addElementHelper(newDocument, createElement2, "owner_urn", str2);
            addElementHelper(newDocument, createElement2, "target_gid", KeyUtil.x509certificateToCredentialXmlGid(x509Certificate2));
            addElementHelper(newDocument, createElement2, "target_urn", str3);
            addElementHelper(newDocument, createElement2, "uuid", null);
            addElementHelper(newDocument, createElement2, ClientCookie.EXPIRES_ATTR, getExpiresDateString(date));
            Element addElementHelper = addElementHelper(newDocument, addElementHelper(newDocument, createElement2, "privileges", null), "privilege", null);
            addElementHelper(newDocument, addElementHelper, "name", str4);
            addElementHelper(newDocument, addElementHelper, "can_delegate", z ? "1" : "0");
            addElementHelper(newDocument, createElement, "signatures", null);
            try {
                return new SfaCredential(str5, XmlUtil.signXml(newDocument, str6, "signatures", x509Certificate3, privateKey), "geni_sfa", "3");
            } catch (TransformerException e) {
                throw new CredentialException("Failed to sign generated credential: " + e.getMessage(), e);
            } catch (XMLSecurityException e2) {
                throw new CredentialException("Failed to sign generated credential: " + e2.getMessage(), e2);
            }
        } catch (ParserConfigurationException e3) {
            throw new CredentialException("Failed to create credential: " + e3.getMessage(), e3);
        }
    }

    public static SfaCredential createSpeaksFor(String str, String str2, X509Certificate x509Certificate, X509Certificate x509Certificate2, PrivateKey privateKey, Date date, String str3, boolean z) throws CredentialException {
        return create("speaksfor", str2, str, x509Certificate2, x509Certificate, x509Certificate, privateKey, date, str3, z, "SpeaksFor Credential");
    }

    private static String getExpiresDateString(Date date) {
        String dateToRFC3339String = RFC3339Util.dateToRFC3339String(date, debug_expiredate_forcezulu, debug_expiredate_discardsubsecond, debug_expiredate_forceZinsteadOfZero);
        if (debug_expiredate_smalltz) {
            dateToRFC3339String = dateToRFC3339String.replace('T', 't').replace('Z', 'z');
        }
        try {
            Date rfc3339StringToDate = RFC3339Util.rfc3339StringToDate(dateToRFC3339String);
            if (debug_expiredate_discardsubsecond) {
                date = new Date(date.getTime() - (date.getTime() % 1000));
            }
            if (rfc3339StringToDate.getTime() != date.getTime()) {
                throw new RuntimeException("ERROR reconstructing date: expireDate=" + date + " res=\"" + dateToRFC3339String + "\" reconstructExpires=" + rfc3339StringToDate + "   -> " + rfc3339StringToDate.getTime() + " != " + date.getTime());
            }
            return dateToRFC3339String;
        } catch (ParseException e) {
            throw new RuntimeException(e);
        }
    }

    private void initDoc() throws CredentialException {
        DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
        newInstance.setNamespaceAware(true);
        try {
            this.xmlDoc = newInstance.newDocumentBuilder().parse(new InputSource(new StringReader(this.credentialXml)));
            NodeList elementsByTagName = this.xmlDoc.getDocumentElement().getElementsByTagName("credential");
            LOG.trace("Need to mark " + elementsByTagName.getLength() + " <credential> xml:id attributes as xml IDs");
            for (int i = 0; i < elementsByTagName.getLength(); i++) {
                Node item = elementsByTagName.item(i);
                if (item.getNodeType() == 1) {
                    Element element = (Element) item;
                    NamedNodeMap attributes = element.getAttributes();
                    for (int i2 = 0; i2 < attributes.getLength(); i2++) {
                        Attr attr = (Attr) attributes.item(i2);
                        if (attr.getName().equals("xml:id")) {
                            LOG.trace("Marking <credential> Attribute as id: " + attr);
                            element.setIdAttributeNode(attr, true);
                        } else {
                            LOG.trace("<credential> Attribute is not id: '" + attr.getNamespaceURI() + "' : '" + attr.getName() + "' -> " + attr);
                        }
                    }
                }
            }
        } catch (IOException e) {
            throw new CredentialException("Error parsing credential XML: " + e.getMessage(), e);
        } catch (ParserConfigurationException e2) {
            throw new CredentialException("Error parsing credential XML: " + e2.getMessage(), e2);
        } catch (SAXException e3) {
            throw new CredentialException("Error parsing credential XML: " + e3.getMessage(), e3);
        }
    }

    private void parseXml() throws CredentialException {
        if (!$assertionsDisabled && this.xmlDoc == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && !this.xmlDoc.getDocumentElement().getTagName().equals("signed-credential")) {
            throw new AssertionError("Document element is not <signed-credential> but \"" + this.xmlDoc.getDocumentElement().getTagName() + "\"");
        }
        NodeList childNodes = this.xmlDoc.getDocumentElement().getChildNodes();
        if (childNodes.getLength() == 0) {
            throw new CredentialException("Cannot find any <signed-credential> element children!");
        }
        Element element = null;
        for (int i = 0; i < childNodes.getLength(); i++) {
            if (childNodes.item(i) instanceof Element) {
                Element element2 = (Element) childNodes.item(i);
                if (!element2.getTagName().equals("credential")) {
                    continue;
                } else {
                    if (element != null) {
                        throw new CredentialException("No support for multiple credentials implemented.");
                    }
                    element = element2;
                }
            } else if (!(childNodes.item(i) instanceof Text) || !childNodes.item(i).getTextContent().trim().isEmpty()) {
                LOG.warn("<signed-credential> contains non credential: class=" + childNodes.item(i).getClass().getName() + " value=" + childNodes.item(i).toString());
            }
        }
        if (element == null) {
            throw new CredentialException("No credential element found in credential.");
        }
        Element element3 = (Element) element.getElementsByTagName("type").item(0);
        if (element3 == null) {
            throw new CredentialException("XML credential element does not contain type element");
        }
        this.type = element3.getTextContent();
        Element element4 = (Element) element.getElementsByTagName("owner_urn").item(0);
        if (element4 == null) {
            throw new CredentialException("XML credential element does not contain owner_urn element");
        }
        this.ownerUrn = element4.getTextContent();
        Element element5 = (Element) element.getElementsByTagName("target_urn").item(0);
        if (element4 == null) {
            throw new CredentialException("XML credential element does not contain target_urn element");
        }
        this.targetUrn = element5.getTextContent();
        if (element.getElementsByTagName("owner_gid") == null) {
            throw new CredentialException("XML credential element does not contain owner_gid element");
        }
        if (element.getElementsByTagName("owner_gid").getLength() > 0) {
            this.ownerGid = ((Element) element.getElementsByTagName("owner_gid").item(0)).getTextContent();
        }
        if (element.getElementsByTagName("target_gid") == null) {
            throw new CredentialException("XML credential element does not contain target_gid element");
        }
        if (element.getElementsByTagName("target_gid").getLength() > 0) {
            this.targetGid = ((Element) element.getElementsByTagName("target_gid").item(0)).getTextContent();
        }
        if (element.getElementsByTagName(ClientCookie.EXPIRES_ATTR) == null) {
            throw new CredentialException("XML credential element does not contain expires element");
        }
        if (element.getElementsByTagName(ClientCookie.EXPIRES_ATTR).getLength() > 0) {
            this.expires = ((Element) element.getElementsByTagName(ClientCookie.EXPIRES_ATTR).item(0)).getTextContent();
            try {
                this.expiresDate = RFC3339Util.iso8601StringToDate(this.expires);
            } catch (ParseException e) {
                LOG.error("XML credential expires element is not a valid ISO8601 date: \"" + this.expires + "\"", (Throwable) e);
                this.expiresDate = null;
            }
        }
    }

    @Override // be.iminds.ilabt.jfed.lowlevel.AnyCredential
    public String getType() {
        return this.type;
    }

    public String getTargetUrn() {
        return this.targetUrn;
    }

    public String getOwnerUrn() {
        return this.ownerUrn;
    }

    public String getOwnerGid() {
        return this.ownerGid;
    }

    public String getTargetGid() {
        return this.targetGid;
    }

    @Override // be.iminds.ilabt.jfed.lowlevel.AnyCredential
    public String getExpires() {
        return this.expires;
    }

    @Override // be.iminds.ilabt.jfed.lowlevel.AnyCredential
    public Date getExpiresDate() {
        return this.expiresDate;
    }

    @Override // be.iminds.ilabt.jfed.lowlevel.AnyCredential
    public Boolean isTargetSubAuthority() {
        GeniUrn parse;
        if (this.targetUrn == null || (parse = GeniUrn.parse(this.targetUrn)) == null) {
            return null;
        }
        return Boolean.valueOf(parse.getEncodedSubAuthName() != null);
    }

    public boolean check(AuthorityListModel authorityListModel) throws CredentialException {
        SfaAuthority fromAnyUrn;
        SfaAuthority fromAnyUrn2;
        JFedTrustStore jFedTrustStore = new JFedTrustStore();
        if (this.ownerUrn != null && (fromAnyUrn2 = authorityListModel.getFromAnyUrn(this.ownerUrn, AuthorityListModel.SubAuthMatchAllowed.ALLOW_OTHER_SUBAUTHORITY, AuthorityListModel.SubAuthMatchPreference.PREFER_EXACT_SUBAUTHORITY)) != null) {
            jFedTrustStore.addTrustedPemCertificateIfNotAdded(fromAnyUrn2.getPemSslTrustCerts());
        }
        if (this.targetUrn != null && (fromAnyUrn = authorityListModel.getFromAnyUrn(this.targetUrn, AuthorityListModel.SubAuthMatchAllowed.ALLOW_OTHER_SUBAUTHORITY, AuthorityListModel.SubAuthMatchPreference.PREFER_EXACT_SUBAUTHORITY)) != null) {
            jFedTrustStore.addTrustedPemCertificateIfNotAdded(fromAnyUrn.getPemSslTrustCerts());
        }
        return check(jFedTrustStore.getTrustStore());
    }

    public boolean check(KeyStore keyStore) throws CredentialException {
        if (!$assertionsDisabled && this.xmlDoc == null) {
            throw new AssertionError();
        }
        NodeList elementsByTagNameNS = this.xmlDoc.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", Constants._TAG_SIGNATURE);
        if (elementsByTagNameNS.getLength() == 0) {
            throw new CredentialException("Cannot find any Signature element: not a valid credential.");
        }
        LOG.debug("There are " + elementsByTagNameNS.getLength() + " <signature> elements in <Signature> that need to be checked.");
        for (int i = 0; i < elementsByTagNameNS.getLength(); i++) {
            try {
                Element element = (Element) elementsByTagNameNS.item(i);
                LOG.debug("Checking <signature> with apache santurio library");
                Init.init();
                ElementProxy.setDefaultPrefix("http://www.w3.org/2000/09/xmldsig#", "");
                XMLSignature xMLSignature = new XMLSignature(element, null);
                KeyInfo keyInfo = xMLSignature.getKeyInfo();
                keyInfo.addStorageResolver(new StorageResolver(new KeyStoreResolver(keyStore)));
                if (keyInfo == null) {
                    LOG.debug("Could not find ds:KeyInfo");
                    return false;
                }
                X509Certificate x509Certificate = xMLSignature.getKeyInfo().getX509Certificate();
                if (x509Certificate != null) {
                    boolean checkSignatureValue = xMLSignature.checkSignatureValue(x509Certificate);
                    LOG.debug("X509Certificate Check: " + checkSignatureValue);
                    if (!checkSignatureValue) {
                        return false;
                    }
                } else {
                    PublicKey publicKey = xMLSignature.getKeyInfo().getPublicKey();
                    if (publicKey == null) {
                        LOG.debug("Could not find Certificate or PublicKey");
                        return false;
                    }
                    boolean checkSignatureValue2 = xMLSignature.checkSignatureValue(publicKey);
                    LOG.debug("PublicKey Check: " + checkSignatureValue2);
                    if (!checkSignatureValue2) {
                        return false;
                    }
                }
            } catch (Exception e) {
                LOG.error("Error during checkSignedCredential", (Throwable) e);
                return false;
            }
        }
        return true;
    }

    public SfaCredential delegate(String str, X509Certificate x509Certificate, PrivateKey privateKey, Date date, String str2, boolean z) throws CredentialException {
        Element element = (Element) this.xmlDoc.getElementsByTagName("credential").item(0);
        Element element2 = (Element) this.xmlDoc.getElementsByTagName("signatures").item(0);
        String textContent = element.getElementsByTagName("target_urn").item(0).getTextContent();
        String textContent2 = element.getElementsByTagName("target_gid").item(0).getTextContent();
        element.getElementsByTagName("owner_urn").item(0).getTextContent();
        String textContent3 = element.getElementsByTagName("owner_gid").item(0).getTextContent();
        Date expiresDate = getExpiresDate();
        if (expiresDate != null && expiresDate.before(date)) {
            LOG.info("when delegating credential, requested expire date was after expire date of credential being delegated. This is not allowed, using original date of date of credential being delegated as expires date instead. requested date = " + this.expires + ". original expires date = " + expiresDate);
            date = expiresDate;
        }
        DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
        newInstance.setNamespaceAware(true);
        try {
            Document newDocument = newInstance.newDocumentBuilder().newDocument();
            Element createElement = newDocument.createElement("signed-credential");
            createElement.setAttributeNS("http://www.w3.org/2001/XMLSchema-instance", "xsi:noNamespaceSchemaLocation", "http://www.protogeni.net/resources/credential/credential.xsd");
            createElement.setAttributeNS("http://www.w3.org/2001/XMLSchema-instance", "xsi:schemaLocation", "http://www.protogeni.net/resources/credential/ext/policy/1 http://www.protogeni.net/resources/credential/ext/policy/1/policy.xsd");
            newDocument.appendChild(createElement);
            Element createElement2 = newDocument.createElement("credential");
            Attr createAttribute = newDocument.createAttribute("xml:id");
            String str3 = "cred" + Math.round(Math.random() * 1000.0d);
            createAttribute.setValue(str3);
            createElement2.setAttributeNode(createAttribute);
            createElement2.setIdAttributeNode(createAttribute, true);
            createElement.appendChild(createElement2);
            addElementHelper(newDocument, createElement2, "type", "privilege");
            addElementHelper(newDocument, createElement2, "serial", "" + Math.random());
            addElementHelper(newDocument, createElement2, "owner_gid", KeyUtil.x509certificateToCredentialXmlGid(x509Certificate));
            addElementHelper(newDocument, createElement2, "owner_urn", str);
            addElementHelper(newDocument, createElement2, "target_gid", textContent2);
            addElementHelper(newDocument, createElement2, "target_urn", textContent);
            addElementHelper(newDocument, createElement2, "uuid", null);
            addElementHelper(newDocument, createElement2, ClientCookie.EXPIRES_ATTR, getExpiresDateString(date));
            Element addElementHelper = addElementHelper(newDocument, addElementHelper(newDocument, createElement2, "privileges", null), "privilege", null);
            addElementHelper(newDocument, addElementHelper, "name", str2);
            addElementHelper(newDocument, addElementHelper, "can_delegate", z ? "1" : "0");
            addElementHelper(newDocument, createElement2, "parent", null).appendChild(newDocument.importNode(element, true));
            Element addElementHelper2 = addElementHelper(newDocument, createElement, "signatures", null);
            NodeList childNodes = element2.getChildNodes();
            for (int i = 0; i < childNodes.getLength(); i++) {
                addElementHelper2.appendChild(newDocument.importNode(childNodes.item(i), true));
            }
            try {
                return new SfaCredential("Delegated Credential", XmlUtil.signXml(newDocument, str3, "signatures", KeyUtil.pemToX509Certificate(textContent3), privateKey), "geni_sfa", "3");
            } catch (TransformerException e) {
                throw new CredentialException("Failed to sign delegated credential: " + e.getMessage(), e);
            } catch (XMLSecurityException e2) {
                throw new CredentialException("Failed to sign delegated credential: " + e2.getMessage(), e2);
            }
        } catch (ParserConfigurationException e3) {
            throw new CredentialException("Failed to create delegated credential: " + e3.getMessage(), e3);
        }
    }

    static {
        $assertionsDisabled = !SfaCredential.class.desiredAssertionStatus();
        debug_expiredate_forceZinsteadOfZero = true;
        debug_expiredate_forcezulu = true;
        debug_expiredate_discardsubsecond = true;
        debug_expiredate_smalltz = false;
        LOG = LoggerFactory.getLogger(SfaCredential.class);
        random = new Random(System.currentTimeMillis());
    }
}
