package org.eclipse.scada.sec.authz.signature;

import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import javax.xml.crypto.AlgorithmMethod;
import javax.xml.crypto.KeySelector;
import javax.xml.crypto.KeySelectorException;
import javax.xml.crypto.KeySelectorResult;
import javax.xml.crypto.XMLCryptoContext;
import javax.xml.crypto.dsig.SignatureMethod;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.X509Data;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/scada/sec/authz/signature/X509KeySelector.class */
public class X509KeySelector extends KeySelector {
    private static final Logger logger = LoggerFactory.getLogger(X509KeySelector.class);
    private final X509CA[] cas;

    public X509KeySelector(X509CA x509ca) {
        this(Collections.singleton(x509ca));
    }

    public X509KeySelector(Collection<X509CA> collection) {
        this.cas = (X509CA[]) collection.toArray(new X509CA[collection.size()]);
    }

    public void reload() {
        logger.debug("Reloading");
        for (X509CA x509ca : this.cas) {
            logger.debug("Reloading ca: {}", x509ca);
            try {
                x509ca.load();
            } catch (InterruptedException e) {
                logger.warn("Failed to reload", e);
                return;
            } catch (Exception e2) {
                logger.warn("Failed to reload", e2);
            }
        }
    }

    public KeySelectorResult select(KeyInfo keyInfo, KeySelector.Purpose purpose, AlgorithmMethod algorithmMethod, XMLCryptoContext xMLCryptoContext) throws KeySelectorException {
        if (keyInfo == null) {
            throw new KeySelectorException("Null KeyInfo object!");
        }
        SignatureMethod signatureMethod = (SignatureMethod) algorithmMethod;
        for (X509Data x509Data : keyInfo.getContent()) {
            if (x509Data instanceof X509Data) {
                for (Object obj : x509Data.getContent()) {
                    KeySelectorResult findPublicKey = obj instanceof X509Certificate ? findPublicKey((X509Certificate) obj, signatureMethod) : null;
                    if (findPublicKey != null) {
                        return findPublicKey;
                    }
                }
            }
        }
        throw new KeySelectorException("No KeyValue element found!");
    }

    private KeySelectorResult findPublicKey(X509Certificate x509Certificate, SignatureMethod signatureMethod) {
        try {
            PublicKey publicKey = x509Certificate.getPublicKey();
            if (publicKey == null || !algEquals(signatureMethod.getAlgorithm(), publicKey.getAlgorithm())) {
                return null;
            }
            logger.trace("Checking certificate validity");
            x509Certificate.checkValidity();
            for (X509CA x509ca : this.cas) {
                logger.trace("Checking CA: {}", dumpCa(x509ca));
                if (x509ca.isRevoked(x509Certificate)) {
                    logger.trace("Cert is revoked by CA");
                } else {
                    for (X509Certificate x509Certificate2 : x509ca.getCertificates()) {
                        try {
                            logger.debug("Checking CA validity");
                            x509Certificate2.checkValidity();
                            logger.debug("Validate certificate");
                            x509Certificate.verify(x509Certificate2.getPublicKey());
                            return new X509KeySelectorResult(x509Certificate);
                        } catch (Exception e) {
                            logger.trace("just ignore exception:", e);
                        }
                    }
                }
            }
            return null;
        } catch (Exception e2) {
            logger.trace("Failed to select key", e2);
            return null;
        }
    }

    private String dumpCa(X509CA x509ca) {
        if (x509ca == null || x509ca.getCertificates() == null) {
            return "no CA given or CA is empty";
        }
        StringBuilder sb = new StringBuilder();
        for (X509Certificate x509Certificate : x509ca.getCertificates()) {
            sb.append(x509Certificate);
            sb.append("\n");
        }
        return sb.toString();
    }

    static boolean algEquals(String str, String str2) {
        if (str2.equalsIgnoreCase("DSA") && str.equalsIgnoreCase("http://www.w3.org/2000/09/xmldsig#dsa-sha1")) {
            return true;
        }
        if (str2.equalsIgnoreCase("RSA") && str.equalsIgnoreCase("http://www.w3.org/2000/09/xmldsig#rsa-sha1")) {
            return true;
        }
        logger.trace("Failed to check key - algUri: {}, algName: {}", str, str2);
        return false;
    }
}
