package es.gob.afirma.signers.xades;

import es.gob.afirma.core.AOException;
import es.gob.afirma.core.misc.AOUtil;
import es.gob.afirma.core.signers.AOSignConstants;
import es.gob.afirma.core.signers.CounterSignTarget;
import es.gob.afirma.signers.cades.CAdESExtraParams;
import es.gob.afirma.signers.xml.Utils;
import es.gob.afirma.signers.xml.XMLConstants;
import es.uji.crypto.xades.jxades.security.xml.XAdES.DataObjectFormatImpl;
import es.uji.crypto.xades.jxades.security.xml.XAdES.ObjectIdentifierImpl;
import es.uji.crypto.xades.jxades.security.xml.XAdES.XAdESBase;
import es.uji.crypto.xades.jxades.security.xml.XAdES.XAdESStructure;
import es.uji.crypto.xades.jxades.security.xml.XAdES.XMLAdvancedSignature;
import java.io.ByteArrayInputStream;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Properties;
import java.util.UUID;
import java.util.logging.Logger;
import javax.xml.crypto.dsig.DigestMethod;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.spec.DigestMethodParameterSpec;
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
import nu.xom.canonical.Canonicalizer;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;

/* loaded from: input_file:WEB-INF/lib/afirma-crypto-xades-1.7.2.jar:es/gob/afirma/signers/xades/XAdESCounterSigner.class */
public final class XAdESCounterSigner {
    private static final String CSURI = "http://uri.etsi.org/01903#CountersignedSignature";
    private static final Logger LOGGER = Logger.getLogger("es.gob.afirma");

    public static byte[] countersign(byte[] bArr, String str, CounterSignTarget counterSignTarget, Object[] objArr, PrivateKey privateKey, Certificate[] certificateArr, Properties properties) throws AOException {
        try {
            return countersign(XAdESUtil.getNewDocumentBuilder().parse(new ByteArrayInputStream(bArr)), str, counterSignTarget, objArr, privateKey, certificateArr, properties);
        } catch (Exception e) {
            throw new AOException("No se ha podido cargar el documento de firmas", e);
        }
    }

    public static byte[] countersign(Document document, String str, CounterSignTarget counterSignTarget, Object[] objArr, PrivateKey privateKey, Certificate[] certificateArr, Properties properties) throws AOException {
        if (document == null) {
            throw new IllegalArgumentException("El objeto de firma no puede ser nulo");
        }
        String str2 = str != null ? str : "SHA512withRSA";
        Properties properties2 = properties != null ? properties : new Properties();
        checkParams(str2, properties2);
        if (XMLConstants.SIGN_ALGOS_URI.get(str2) == null) {
            throw new IllegalArgumentException("Los formatos de firma XML no soportan el algoritmo de firma '" + str2 + "'");
        }
        String property = properties2.getProperty("outputXmlEncoding");
        boolean z = false;
        Document document2 = document;
        Element documentElement = document.getDocumentElement();
        try {
            Map<String, String> originalXMLProperties = XAdESUtil.getOriginalXMLProperties(document, property);
            if (documentElement.getLocalName().equals("Signature")) {
                z = true;
                document2 = AOXAdESSigner.insertarNodoAfirma(document2);
                documentElement = document2.getDocumentElement();
            }
            try {
                if (counterSignTarget == CounterSignTarget.TREE) {
                    countersignTree(documentElement, privateKey, certificateArr, properties2, str2, document2);
                } else if (counterSignTarget == CounterSignTarget.LEAFS) {
                    countersignLeafs(documentElement, privateKey, certificateArr, properties2, str2, document2);
                } else if (counterSignTarget == CounterSignTarget.NODES) {
                    countersignNodes(documentElement, objArr, privateKey, certificateArr, properties2, str2, document2);
                } else if (counterSignTarget == CounterSignTarget.SIGNERS) {
                    countersignSigners(documentElement, objArr, privateKey, certificateArr, properties2, str2, document2);
                }
                if (z) {
                    try {
                        Document newDocument = XAdESUtil.getNewDocumentBuilder().newDocument();
                        newDocument.appendChild(newDocument.adoptNode(document2.getElementsByTagNameNS(XMLConstants.DSIGNNS, "Signature").item(0)));
                        document2 = newDocument;
                    } catch (Exception e) {
                        LOGGER.info("No se ha eliminado el nodo padre '<AFIRMA>': " + e);
                    }
                }
                return Utils.writeXML(document2.getDocumentElement(), originalXMLProperties, null, null);
            } catch (Exception e2) {
                throw new AOException("Error al generar la contrafirma", e2);
            }
        } catch (Exception e3) {
            throw new AOException("No se ha podido realizar la contrafirma: " + e3, e3);
        }
    }

    private static void countersignLeafs(Element element, PrivateKey privateKey, Certificate[] certificateArr, Properties properties, String str, Document document) throws AOException {
        NodeList elementsByTagNameNS = element.getElementsByTagNameNS(XMLConstants.DSIGNNS, "Signature");
        int length = elementsByTagNameNS.getLength();
        int i = 0;
        while (i < length) {
            try {
                Element element2 = (Element) elementsByTagNameNS.item(i);
                if (element2.getElementsByTagNameNS(XMLConstants.DSIGNNS, "Signature").getLength() == 0) {
                    cs(element2, privateKey, certificateArr, properties, str, document);
                    length++;
                    i++;
                }
                i++;
            } catch (Exception e) {
                throw new AOException("No se ha podido realizar la contrafirma de hojas", e);
            }
        }
    }

    private static void countersignNodes(Element element, Object[] objArr, PrivateKey privateKey, Certificate[] certificateArr, Properties properties, String str, Document document) throws AOException {
        ArrayList arrayList = new ArrayList();
        for (int i = 0; i < objArr.length; i++) {
            if (!arrayList.contains(objArr[i])) {
                arrayList.add((Integer) objArr[i]);
            }
        }
        Object[] array = arrayList.toArray();
        NodeList elementsByTagNameNS = element.getElementsByTagNameNS(XMLConstants.DSIGNNS, "Signature");
        Element[] elementArr = new Element[array.length];
        for (int i2 = 0; i2 < array.length; i2++) {
            try {
                elementArr[i2] = (Element) elementsByTagNameNS.item(((Integer) array[i2]).intValue());
                if (elementArr[i2] == null) {
                    throw new AOException("Posicion de nodo no valida.");
                }
            } catch (ClassCastException e) {
                throw new AOException("Valor de nodo no valido", e);
            }
        }
        try {
            for (Element element2 : elementArr) {
                cs(element2, privateKey, certificateArr, properties, str, document);
            }
        } catch (Exception e2) {
            throw new AOException("No se ha podido realizar la contrafirma de nodos", e2);
        }
    }

    private static void countersignSigners(Element element, Object[] objArr, PrivateKey privateKey, Certificate[] certificateArr, Properties properties, String str, Document document) throws AOException {
        NodeList elementsByTagNameNS = element.getElementsByTagNameNS(XMLConstants.DSIGNNS, "Signature");
        List asList = Arrays.asList(objArr);
        ArrayList arrayList = new ArrayList();
        for (int i = 0; i < elementsByTagNameNS.getLength(); i++) {
            Element element2 = (Element) elementsByTagNameNS.item(i);
            if (asList.contains(AOUtil.getCN(Utils.getCertificate(element2.getElementsByTagNameNS(XMLConstants.DSIGNNS, "X509Certificate").item(0))))) {
                arrayList.add(element2);
            }
        }
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            cs((Element) it.next(), privateKey, certificateArr, properties, str, document);
        }
    }

    private static void countersignTree(Element element, PrivateKey privateKey, Certificate[] certificateArr, Properties properties, String str, Document document) throws AOException {
        NodeList elementsByTagNameNS = element.getElementsByTagNameNS(XMLConstants.DSIGNNS, "Signature");
        int length = elementsByTagNameNS.getLength();
        Element[] elementArr = new Element[length];
        for (int i = 0; i < length; i++) {
            elementArr[i] = (Element) elementsByTagNameNS.item(i);
        }
        for (int i2 = 0; i2 < length; i2++) {
            try {
                cs(elementArr[i2], privateKey, certificateArr, properties, str, document);
            } catch (Exception e) {
                throw new AOException("No se ha podido realizar la contrafirma del arbol", e);
            }
        }
    }

    private static void cs(Element element, PrivateKey privateKey, Certificate[] certificateArr, Properties properties, String str, Document document) throws AOException {
        Element element2;
        Element element3;
        if (document == null) {
            throw new IllegalArgumentException("El documento DOM no puede ser nulo");
        }
        Properties properties2 = properties != null ? properties : new Properties();
        String property = properties2.getProperty("referencesDigestMethod", "http://www.w3.org/2001/04/xmlenc#sha512");
        String property2 = properties2.getProperty("canonicalizationAlgorithm", Canonicalizer.CANONICAL_XML);
        boolean parseBoolean = Boolean.parseBoolean(properties2.getProperty(XAdESExtraParams.INTERNAL_VALIDATE_PKCS1, Boolean.TRUE.toString()));
        Element signedPropertiesReference = XAdESUtil.getSignedPropertiesReference(element);
        Element signedPropertiesElement = XAdESUtil.getSignedPropertiesElement(element, signedPropertiesReference);
        if (signedPropertiesElement == null) {
            throw new AOException("No se han encontrado los atributos firmados de la firma original");
        }
        String prefix = signedPropertiesElement.getPrefix();
        String namespaceURI = signedPropertiesElement.getNamespaceURI();
        String attribute = signedPropertiesReference.getAttribute("Type");
        NodeList elementsByTagNameNS = element.getElementsByTagNameNS("*", "UnsignedProperties");
        if (elementsByTagNameNS.getLength() == 0) {
            element2 = document.createElement(addNSPrefix(prefix, "UnsignedProperties"));
        } else {
            element2 = (Element) elementsByTagNameNS.item(0);
            prefix = element2.getPrefix();
        }
        NodeList elementsByTagNameNS2 = element2.getElementsByTagNameNS("*", "UnsignedSignatureProperties");
        if (elementsByTagNameNS2.getLength() == 0) {
            element3 = document.createElement(addNSPrefix(prefix, "UnsignedSignatureProperties"));
        } else {
            element3 = (Element) elementsByTagNameNS2.item(0);
            prefix = element3.getPrefix();
        }
        Element createElement = document.createElement(addNSPrefix(prefix, "CounterSignature"));
        element3.appendChild(createElement);
        element2.appendChild(element3);
        element.getElementsByTagNameNS("*", "QualifyingProperties").item(0).appendChild(element2);
        Element element4 = (Element) element.getElementsByTagNameNS(XMLConstants.DSIGNNS, XMLAdvancedSignature.ELEMENT_SIGNATURE_VALUE).item(0);
        ArrayList arrayList = new ArrayList();
        XMLSignatureFactory dOMFactory = Utils.getDOMFactory();
        try {
            DigestMethod newDigestMethod = dOMFactory.newDigestMethod(property, (DigestMethodParameterSpec) null);
            String str2 = "Reference-" + UUID.randomUUID().toString();
            try {
                ArrayList arrayList2 = new ArrayList();
                arrayList2.add(dOMFactory.newTransform(property2, (TransformParameterSpec) null));
                arrayList.add(dOMFactory.newReference("#" + element4.getAttribute(XAdESStructure.ID_ATTRIBUTE), newDigestMethod, arrayList2, needCounterSignatureReferenceType(namespaceURI) ? CSURI : null, str2));
                String property3 = properties2.getProperty("profile", "advanced");
                if (AOSignConstants.SIGN_PROFILE_BASELINE.equals(property3) && !XAdESUtil.isBaselineCompatible(namespaceURI)) {
                    LOGGER.warning("La firma original utiliza un espacio de nombres no compatible con baseline (" + namespaceURI + "). No se generara una firma baseline");
                    property3 = "advanced";
                }
                XAdESBase newInstance = XAdESUtil.newInstance(property3, namespaceURI, prefix, "ds", property, createElement.getOwnerDocument(), createElement, (X509Certificate) certificateArr[0]);
                XAdESCommonMetadataUtil.addCommonMetadata(newInstance, properties2);
                if (!property3.equalsIgnoreCase(AOSignConstants.SIGN_PROFILE_BASELINE)) {
                    DataObjectFormatImpl dataObjectFormatImpl = new DataObjectFormatImpl(null, new ObjectIdentifierImpl("OIDAsURN", "urn:oid:1.2.840.10003.5.109.10", null, new ArrayList(0)), "text/xml", document.getInputEncoding(), "#" + str2);
                    ArrayList arrayList3 = new ArrayList();
                    arrayList3.add(dataObjectFormatImpl);
                    newInstance.setDataObjectFormats(arrayList3);
                }
                AOXMLAdvancedSignature xmlAdvancedSignature = XAdESUtil.getXmlAdvancedSignature(newInstance, attribute, property, property2);
                try {
                    if (Boolean.parseBoolean(properties2.getProperty(CAdESExtraParams.INCLUDE_ONLY_SIGNNING_CERTIFICATE, Boolean.FALSE.toString()))) {
                        xmlAdvancedSignature.sign((X509Certificate) certificateArr[0], privateKey, XMLConstants.SIGN_ALGOS_URI.get(str), arrayList, "Signature-" + UUID.randomUUID().toString());
                    } else {
                        xmlAdvancedSignature.sign(Arrays.asList(certificateArr), privateKey, XMLConstants.SIGN_ALGOS_URI.get(str), arrayList, "Signature-" + UUID.randomUUID().toString(), Boolean.parseBoolean(properties2.getProperty("addKeyInfoKeyValue", Boolean.TRUE.toString())), Boolean.parseBoolean(properties2.getProperty(XAdESExtraParams.ADD_KEY_INFO_KEY_NAME, Boolean.FALSE.toString())), Boolean.parseBoolean(properties2.getProperty(XAdESExtraParams.ADD_KEY_INFO_X509_ISSUER_SERIAL, Boolean.FALSE.toString())), Boolean.parseBoolean(properties2.getProperty("keepKeyInfoUnsigned", Boolean.FALSE.toString())), parseBoolean);
                    }
                } catch (NoSuchAlgorithmException e) {
                    throw new IllegalArgumentException("Los formatos de firma XML no soportan el algoritmo de firma '" + str + "'", e);
                } catch (Exception e2) {
                    throw new AOException("No se ha podido realizar la contrafirma", e2);
                }
            } catch (Exception e3) {
                throw new AOException("No se ha podido realizar la contrafirma", e3);
            }
        } catch (Exception e4) {
            throw new AOException("No se ha podido obtener un generador de huellas digitales para el algoritmo '" + property + "'", e4);
        }
    }

    private static String addNSPrefix(String str, String str2) {
        return (str == null || str.isEmpty()) ? str2 : str + ":" + str2;
    }

    private XAdESCounterSigner() {
    }

    private static void checkParams(String str, Properties properties) {
        if (str.toUpperCase(Locale.US).startsWith("MD")) {
            throw new IllegalArgumentException("XAdES no permite huellas digitales MD2 o MD5 (Decision 130/2011 CE)");
        }
        if (AOSignConstants.SIGN_PROFILE_BASELINE.equalsIgnoreCase(properties.getProperty("profile"))) {
            if (AOSignConstants.isSHA1SignatureAlgorithm(str)) {
                LOGGER.warning("El algoritmo '" + str + "' no esta recomendado para su uso en las firmas baseline");
            }
            if (XMLConstants.URL_SHA1.equals(properties.getProperty("referencesDigestMethod"))) {
                LOGGER.warning("El algoritmo SHA1 no esta recomendado para generar referencias en las firmas baseline");
            }
        }
    }

    public static boolean needCounterSignatureReferenceType(String str) {
        return ("http://uri.etsi.org/01903/v1.1.1#".equals(str) || "http://uri.etsi.org/01903/v1.2.2#".equals(str)) ? false : true;
    }
}
