package de.gematik.pki.tsl;

import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Security;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Optional;
import lombok.Generated;
import lombok.NonNull;
import org.apache.xml.security.algorithms.JCEMapper;
import org.apache.xml.security.signature.XMLSignatureException;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import xades4j.XAdES4jException;
import xades4j.providers.impl.PKIXCertificateValidationProvider;
import xades4j.verification.SignatureSpecificVerificationOptions;
import xades4j.verification.XAdESVerificationResult;
import xades4j.verification.XadesVerificationProfile;
import xades4j.verification.XadesVerifier;

/* loaded from: input_file:de/gematik/pki/tsl/TslValidator.class */
public class TslValidator {
    public static boolean checkSignature(@NonNull Document document, @NonNull X509Certificate x509Certificate) throws IOException {
        if (document == null) {
            throw new NullPointerException("tsl is marked non-null but is null");
        }
        if (x509Certificate == null) {
            throw new NullPointerException("trustAnchor is marked non-null but is null");
        }
        try {
            Optional<XAdESVerificationResult> verificationResult = getVerificationResult(document, x509Certificate);
            if (verificationResult.isEmpty()) {
                return false;
            }
            return verificationResult.get().getXmlSignature().checkSignatureValue(verificationResult.get().getValidationCertificate());
        } catch (XAdES4jException | NoSuchAlgorithmException | XMLSignatureException | KeyStoreException | NoSuchProviderException | CertificateException e) {
            return false;
        }
    }

    private static Optional<XAdESVerificationResult> getVerificationResult(Document document, X509Certificate x509Certificate) throws XAdES4jException, NoSuchAlgorithmException, NoSuchProviderException, CertificateException, KeyStoreException, IOException {
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(null);
        keyStore.setCertificateEntry(x509Certificate.getSubjectX500Principal().getName(), x509Certificate);
        XadesVerifier newVerifier = new XadesVerificationProfile(PKIXCertificateValidationProvider.builder(keyStore).certPathBuilderProvider("BC").checkRevocation(false).build()).newVerifier();
        Element element = (Element) document.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature").item(0);
        return element == null ? Optional.empty() : Optional.of(newVerifier.verify(element, (SignatureSpecificVerificationOptions) null));
    }

    @Generated
    private TslValidator() {
    }

    static {
        if (Security.getProvider("BC") == null) {
            Security.addProvider(new BouncyCastleProvider());
            JCEMapper.setProviderId("BC");
        }
    }
}
