package edu.internet2.middleware.shibboleth.utils;

import edu.internet2.middleware.shibboleth.xml.Parser;
import jargs.gnu.CmdLineParser;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.PrintStream;
import java.io.PrintWriter;
import java.net.URL;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import org.apache.log4j.ConsoleAppender;
import org.apache.log4j.Level;
import org.apache.log4j.Logger;
import org.apache.log4j.PatternLayout;
import org.apache.xml.security.c14n.Canonicalizer;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.keys.content.X509Data;
import org.apache.xml.security.signature.Reference;
import org.apache.xml.security.signature.SignedInfo;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.transforms.Transforms;
import org.opensaml.XML;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;

/* loaded from: input_file:edu/internet2/middleware/shibboleth/utils/MetadataTool.class */
public class MetadataTool {
    public static void main(String[] strArr) throws Exception {
        CmdLineParser cmdLineParser = new CmdLineParser();
        CmdLineParser.Option addBooleanOption = cmdLineParser.addBooleanOption('h', "help");
        CmdLineParser.Option addBooleanOption2 = cmdLineParser.addBooleanOption('s', "sign");
        CmdLineParser.Option addBooleanOption3 = cmdLineParser.addBooleanOption('N', "noverify");
        CmdLineParser.Option addStringOption = cmdLineParser.addStringOption('i', "in");
        CmdLineParser.Option addStringOption2 = cmdLineParser.addStringOption('o', "out");
        CmdLineParser.Option addStringOption3 = cmdLineParser.addStringOption('k', "keystore");
        CmdLineParser.Option addStringOption4 = cmdLineParser.addStringOption('a', "alias");
        CmdLineParser.Option addStringOption5 = cmdLineParser.addStringOption('p', "password");
        CmdLineParser.Option addStringOption6 = cmdLineParser.addStringOption('x', "ns");
        CmdLineParser.Option addStringOption7 = cmdLineParser.addStringOption('n', "name");
        CmdLineParser.Option addStringOption8 = cmdLineParser.addStringOption('I', "id");
        Boolean bool = (Boolean) cmdLineParser.getOptionValue(cmdLineParser.addBooleanOption('d', "debug"));
        configureLogging(bool != null ? bool.booleanValue() : false);
        try {
            cmdLineParser.parse(strArr);
        } catch (CmdLineParser.OptionException e) {
            System.err.println(e.getMessage());
            try {
                Thread.sleep(100L);
            } catch (InterruptedException e2) {
            }
            printUsage(System.out);
            System.exit(-1);
        }
        Boolean bool2 = (Boolean) cmdLineParser.getOptionValue(addBooleanOption);
        if (bool2 != null && bool2.booleanValue()) {
            printUsage(System.out);
            System.exit(0);
        }
        Boolean bool3 = (Boolean) cmdLineParser.getOptionValue(addBooleanOption2);
        Boolean bool4 = (Boolean) cmdLineParser.getOptionValue(addBooleanOption3);
        String str = (String) cmdLineParser.getOptionValue(addStringOption3);
        String str2 = (String) cmdLineParser.getOptionValue(addStringOption5);
        String str3 = (String) cmdLineParser.getOptionValue(addStringOption4);
        String str4 = (String) cmdLineParser.getOptionValue(addStringOption);
        String str5 = (String) cmdLineParser.getOptionValue(addStringOption2);
        String str6 = (String) cmdLineParser.getOptionValue(addStringOption6);
        String str7 = (String) cmdLineParser.getOptionValue(addStringOption7);
        String str8 = (String) cmdLineParser.getOptionValue(addStringOption8);
        if (str4 == null || str4.length() == 0) {
            printUsage(System.out);
            System.exit(-1);
        }
        if (str != null && str.length() > 0 && (str3 == null || str3.length() == 0)) {
            printUsage(System.out);
            System.exit(-1);
        }
        PrivateKey privateKey = null;
        Certificate[] certificateArr = (Certificate[]) null;
        X509Certificate x509Certificate = null;
        if (bool3 != null && bool3.booleanValue()) {
            if (str == null || str.length() == 0 || str2 == null || str2.length() == 0) {
                printUsage(System.out);
                System.exit(-1);
            }
            KeyStore keyStore = KeyStore.getInstance("JKS");
            keyStore.load(new FileInputStream(str), str2.toCharArray());
            privateKey = (PrivateKey) keyStore.getKey(str3, str2.toCharArray());
            certificateArr = keyStore.getCertificateChain(str3);
            if (privateKey == null || certificateArr == null) {
                System.err.println("error: couldn't load key or certificate chain from keystore");
                System.exit(1);
            }
        } else if (str != null && str.length() > 0) {
            KeyStore keyStore2 = KeyStore.getInstance("JKS");
            keyStore2.load(new FileInputStream(str), null);
            x509Certificate = (X509Certificate) keyStore2.getCertificate(str3);
            if (x509Certificate == null) {
                System.err.println("error: couldn't load certificate from keystore");
                System.exit(1);
            }
        } else if (bool4 == null || !bool4.booleanValue()) {
            printUsage(System.out);
            System.exit(-1);
        }
        Document loadDom = Parser.loadDom(new URL(new URL("file:"), str4), true);
        if (loadDom == null) {
            System.out.println(new StringBuffer("error: unable to read in file (").append(str4).append(")").toString());
            System.exit(-1);
        }
        Element documentElement = loadDom.getDocumentElement();
        if (str6 != null && str7 != null && !XML.isElementNamed(documentElement, str6, str7)) {
            System.err.println("error: root element did not match ns and name parameters");
            System.exit(1);
        } else if (!XML.isElementNamed(documentElement, edu.internet2.middleware.shibboleth.common.XML.SHIB_NS, "SiteGroup") && !XML.isElementNamed(documentElement, edu.internet2.middleware.shibboleth.common.XML.SHIB_NS, "Trust") && !XML.isElementNamed(documentElement, edu.internet2.middleware.shibboleth.common.XML.TRUST_NS, "Trust") && !XML.isElementNamed(documentElement, edu.internet2.middleware.shibboleth.common.XML.SAML2META_NS, "EntityDescriptor") && !XML.isElementNamed(documentElement, edu.internet2.middleware.shibboleth.common.XML.SAML2META_NS, "EntitiesDescriptor")) {
            System.err.println("error: root element must be SiteGroup, Trust, EntitiesDescriptor, or EntityDescriptor");
            System.exit(1);
        }
        if (str8 != null) {
            documentElement = loadDom.getElementById(str8);
            if (documentElement == null) {
                System.err.println(new StringBuffer("error: no element with ID (").append(str8).append(") found in document").toString());
                System.exit(1);
            }
        }
        if (bool3 == null || !bool3.booleanValue()) {
            Element lastChildElement = XML.getLastChildElement(documentElement, "http://www.w3.org/2000/09/xmldsig#", "Signature");
            if (bool4 == null || !bool4.booleanValue()) {
                if (lastChildElement == null) {
                    System.err.println("error: file is not signed");
                    System.exit(1);
                }
                if (!verifySignature(loadDom, lastChildElement, x509Certificate)) {
                    System.err.println("error: signature did not verify");
                    System.exit(1);
                }
            } else if (lastChildElement != null) {
                System.err.println("verification of signer disabled, make sure you trust the source of this file!");
                if (!verifySignature(loadDom, lastChildElement, x509Certificate)) {
                    System.err.println("error: signature did not verify");
                    System.exit(1);
                }
            } else {
                System.err.println("verification disabled, and file is unsigned!");
            }
            NodeList elementsByTagNameNS = documentElement.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
            for (int i = 0; i < elementsByTagNameNS.getLength(); i++) {
                if (!verifySignature(loadDom, (Element) elementsByTagNameNS.item(i), x509Certificate)) {
                    System.err.println("error: signature did not verify");
                    System.exit(1);
                }
            }
        } else {
            Element firstChildElement = XML.getFirstChildElement(documentElement, "http://www.w3.org/2000/09/xmldsig#", "Signature");
            if (firstChildElement != null) {
                documentElement.removeChild(firstChildElement);
            }
            XMLSignature xMLSignature = new XMLSignature(loadDom, "", "http://www.w3.org/2000/09/xmldsig#rsa-sha1", "http://www.w3.org/2001/10/xml-exc-c14n#WithComments");
            Transforms transforms = new Transforms(loadDom);
            transforms.addTransform("http://www.w3.org/2000/09/xmldsig#enveloped-signature");
            transforms.addTransform("http://www.w3.org/2001/10/xml-exc-c14n#WithComments");
            xMLSignature.addDocument(str8 == null ? "" : new StringBuffer("#").append(str8).toString(), transforms, "http://www.w3.org/2000/09/xmldsig#sha1");
            if (certificateArr != null && certificateArr.length > 0) {
                X509Data x509Data = new X509Data(loadDom);
                for (int i2 = 0; i2 < certificateArr.length; i2++) {
                    if (certificateArr[i2] instanceof X509Certificate) {
                        x509Data.addCertificate((X509Certificate) certificateArr[i2]);
                    }
                }
                KeyInfo keyInfo = new KeyInfo(loadDom);
                keyInfo.add(x509Data);
                xMLSignature.getElement().appendChild(keyInfo.getElement());
            }
            if (edu.internet2.middleware.shibboleth.common.XML.SAML2META_NS.equals(documentElement.getNamespaceURI())) {
                documentElement.insertBefore(xMLSignature.getElement(), documentElement.getFirstChild());
            } else {
                documentElement.appendChild(xMLSignature.getElement());
            }
            xMLSignature.sign(privateKey);
        }
        Canonicalizer canonicalizer = Canonicalizer.getInstance("http://www.w3.org/2001/10/xml-exc-c14n#WithComments");
        if (str5 == null || str5.length() <= 0) {
            System.out.print(new String(canonicalizer.canonicalizeSubtree(loadDom)));
            return;
        }
        FileOutputStream fileOutputStream = new FileOutputStream(str5);
        fileOutputStream.write(canonicalizer.canonicalizeSubtree(loadDom));
        fileOutputStream.close();
    }

    private static boolean verifySignature(Document document, Element element, X509Certificate x509Certificate) throws Exception {
        XMLSignature xMLSignature = new XMLSignature(element, "");
        boolean z = false;
        SignedInfo signedInfo = xMLSignature.getSignedInfo();
        if (signedInfo.getLength() == 1) {
            Reference item = signedInfo.item(0);
            if (item.getURI() == null || item.getURI().equals("") || item.getURI().equals(new StringBuffer("#").append(((Element) element.getParentNode()).getAttributeNS(null, "ID")).toString())) {
                Transforms transforms = item.getTransforms();
                int i = 0;
                while (true) {
                    if (i >= transforms.getLength()) {
                        break;
                    }
                    if (!transforms.item(i).getURI().equals("http://www.w3.org/2000/09/xmldsig#enveloped-signature")) {
                        if (!transforms.item(i).getURI().equals("http://www.w3.org/2001/10/xml-exc-c14n#") && !transforms.item(i).getURI().equals("http://www.w3.org/2001/10/xml-exc-c14n#WithComments")) {
                            z = false;
                            break;
                        }
                    } else {
                        z = true;
                    }
                    i++;
                }
            }
        }
        if (z) {
            return x509Certificate != null ? xMLSignature.checkSignatureValue(x509Certificate) : xMLSignature.checkSignatureValue(xMLSignature.getKeyInfo().getPublicKey());
        }
        System.err.println("error: signature profile was invalid");
        return false;
    }

    private static void printUsage(PrintStream printStream) {
        printStream.println("usage: java edu.internet2.middleware.shibboleth.utils.MetadataTool");
        printStream.println();
        printStream.println("when signing:   -i <uri> -s -k <keystore> -a <alias> -p <pass> [-o <outfile>]");
        printStream.println("when updating:  -i <uri> [-k <keystore> -a <alias> OR -N ] [-o <outfile>]");
        printStream.println("  -i,--in              input file or url");
        printStream.println("  -k,--keystore        pathname of Java keystore file");
        printStream.println("  -a,--alias           alias of signing or verification key");
        printStream.println("  -p,--password        keystore/key password");
        printStream.println("  -o,--outfile         write signed copy to this file instead of stdout");
        printStream.println("  -s,--sign            sign the input file and write out a signed version");
        printStream.println("  -N,--noverify        allows update of file without signature check");
        printStream.println("  -h,--help            print this message");
        printStream.println("  -x,--ns              XML namespace of root element");
        printStream.println("  -n,--name            name of root element");
        printStream.println("  -I,--id              ID attribute value of element to sign");
        printStream.println("  -d, --debug          run in debug mode");
        printStream.println();
        System.exit(1);
    }

    private static void configureLogging(boolean z) {
        ConsoleAppender consoleAppender = new ConsoleAppender();
        consoleAppender.setWriter(new PrintWriter(System.err));
        consoleAppender.setName("stdout");
        Logger.getRootLogger().addAppender(consoleAppender);
        if (z) {
            Logger.getRootLogger().setLevel(Level.DEBUG);
            consoleAppender.setLayout(new PatternLayout("%-5p %-41X{serviceId} %d{ISO8601} (%c:%L) - %m%n"));
        } else {
            Logger.getRootLogger().setLevel(Level.WARN);
            consoleAppender.setLayout(new PatternLayout("%r [%t] %p %c %x - %m%n"));
        }
        Logger.getLogger("org.apache.xml.security").setLevel(Level.OFF);
    }
}
