package won.cryptography.rdfsign;

import de.uni_koblenz.aggrimm.icp.crypto.sign.algorithm.algorithm.SignatureAlgorithmFisteus2010;
import de.uni_koblenz.aggrimm.icp.crypto.sign.graph.GraphCollection;
import java.io.StringWriter;
import java.math.BigInteger;
import java.security.MessageDigest;
import java.security.PublicKey;
import java.security.Signature;
import java.util.Base64;
import java.util.Map;
import org.apache.jena.query.Dataset;
import org.apache.jena.rdf.model.Model;
import org.apache.jena.rdf.model.RDFNode;
import org.apache.jena.rdf.model.Resource;
import org.apache.jena.rdf.model.StmtIterator;
import org.apache.jena.riot.Lang;
import org.apache.jena.riot.RDFDataMgr;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import won.protocol.message.WonSignatureData;
import won.protocol.util.RdfUtils;
import won.protocol.util.WonRdfUtils;
import won.protocol.vocabulary.WONMSG;

/* loaded from: input_file:won/cryptography/rdfsign/WonVerifier.class */
public class WonVerifier {
    private Dataset dataset;
    private final Logger logger = LoggerFactory.getLogger(getClass());
    private SignatureVerificationState verificationState = new SignatureVerificationState();

    public WonVerifier(Dataset dataset) {
        new BouncyCastleProvider();
        this.dataset = dataset;
        prepareForVerifying();
    }

    private void prepareForVerifying() {
        for (String str : RdfUtils.getModelNames(this.dataset)) {
            Model namedModel = this.dataset.getNamedModel(str);
            if (WonRdfUtils.SignatureUtils.isSignatureGraph(str, namedModel)) {
                addSignatureToResult(str, namedModel);
            } else {
                this.verificationState.addSignedGraphName(str);
                addSignatureReferenceToResult(str, namedModel);
            }
        }
    }

    public SignatureVerificationState getVerificationResult() {
        return this.verificationState;
    }

    public boolean verify(Map<String, PublicKey> map) throws Exception {
        if (this.verificationState.getSignatures().size() == 0) {
            this.verificationState.verificationFailed("No signatures found");
            return this.verificationState.isVerificationPassed();
        }
        if (this.dataset.getDefaultModel().listStatements().hasNext()) {
            this.verificationState.verificationFailed("unsigned data found in default graph");
            return this.verificationState.isVerificationPassed();
        }
        SignatureAlgorithmFisteus2010 signatureAlgorithmFisteus2010 = new SignatureAlgorithmFisteus2010();
        MessageDigest messageDigest = MessageDigest.getInstance(WonSigner.ENV_HASH_ALGORITHM, WonSigner.SIGNING_ALGORITHM_PROVIDER);
        for (WonSignatureData wonSignatureData : this.verificationState.getSignatures()) {
            if (this.dataset.containsNamedModel(wonSignatureData.getSignedGraphUri())) {
                String signatureValue = wonSignatureData.getSignatureValue();
                if (signatureValue == null) {
                    this.verificationState.setVerificationFailed(wonSignatureData.getSignatureUri(), "Failed to compute a signature value " + wonSignatureData.getSignatureUri());
                    return this.verificationState.isVerificationPassed();
                }
                if (signatureValue.length() == 0) {
                    this.verificationState.setVerificationFailed(wonSignatureData.getSignatureUri(), "Computed an empty signature value " + wonSignatureData.getSignatureUri());
                    return this.verificationState.isVerificationPassed();
                }
                PublicKey publicKey = map.get(wonSignatureData.getVerificationCertificateUri());
                if (publicKey == null) {
                    this.verificationState.setVerificationFailed(wonSignatureData.getSignatureUri(), "No public key found for " + wonSignatureData.getSignatureUri());
                    return this.verificationState.isVerificationPassed();
                }
                String encodeToString = Base64.getEncoder().encodeToString(messageDigest.digest(publicKey.getEncoded()));
                if (!wonSignatureData.getPublicKeyFingerprint().equals(encodeToString)) {
                    this.verificationState.setVerificationFailed(wonSignatureData.getSignatureUri(), "Fingerprint computed for the specified public key " + wonSignatureData.getVerificationCertificateUri() + " is " + encodeToString + ", which differs from the value found in signature " + wonSignatureData.getSignatureUri());
                    return this.verificationState.isVerificationPassed();
                }
                GraphCollection modelToGraphCollection = ModelConverter.modelToGraphCollection(wonSignatureData.getSignedGraphUri(), this.dataset);
                signatureAlgorithmFisteus2010.canonicalize(modelToGraphCollection);
                signatureAlgorithmFisteus2010.postCanonicalize(modelToGraphCollection);
                signatureAlgorithmFisteus2010.hash(modelToGraphCollection, WonSigner.ENV_HASH_ALGORITHM);
                signatureAlgorithmFisteus2010.postHash(modelToGraphCollection);
                BigInteger hash = modelToGraphCollection.getSignature().getHash();
                String encodeToString2 = Base64.getEncoder().encodeToString(hash.toByteArray());
                if (!wonSignatureData.getHash().equals(encodeToString2)) {
                    this.verificationState.setVerificationFailed(wonSignatureData.getSignatureUri(), "Computed hash value " + encodeToString2 + " differs from value " + wonSignatureData.getHash() + " found in signature " + wonSignatureData.getSignatureUri());
                    if (this.logger.isDebugEnabled()) {
                        StringWriter stringWriter = new StringWriter();
                        RDFDataMgr.write(stringWriter, this.dataset.getNamedModel(wonSignatureData.getSignedGraphUri()), Lang.TRIG);
                        this.logger.debug("wrong signature hash for graph {} with content: {}", wonSignatureData.getSignedGraphUri(), stringWriter.toString());
                    }
                    return this.verificationState.isVerificationPassed();
                }
                Signature signature = Signature.getInstance(WonSigner.SIGNING_ALGORITHM_NAME, WonSigner.SIGNING_ALGORITHM_PROVIDER);
                signature.initVerify(publicKey);
                signature.update(hash.toByteArray());
                if (!signature.verify(Base64.getDecoder().decode(signatureValue))) {
                    this.verificationState.setVerificationFailed(wonSignatureData.getSignatureUri(), "Failed to verify " + wonSignatureData.getSignatureUri() + " with public key " + wonSignatureData.getVerificationCertificateUri());
                    return this.verificationState.isVerificationPassed();
                }
            } else {
                this.logger.debug("cannot verify signature {} as it is not part of this message ", wonSignatureData.getSignatureUri());
            }
        }
        return this.verificationState.isVerificationPassed();
    }

    private void addSignatureToResult(String str, Model model) {
        WonSignatureData extractWonSignatureData = WonRdfUtils.SignatureUtils.extractWonSignatureData(str, model);
        if (extractWonSignatureData == null || extractWonSignatureData.getSignatureValue() == null) {
            return;
        }
        this.verificationState.addSignatureData(extractWonSignatureData);
    }

    private void addSignatureReferenceToResult(String str, Model model) {
        StmtIterator listStatements = model.listStatements((Resource) null, WONMSG.CONTAINS_SIGNATURE_PROPERTY, (RDFNode) null);
        while (listStatements.hasNext()) {
            this.verificationState.addSignatureData(WonRdfUtils.SignatureUtils.extractWonSignatureData(listStatements.nextStatement().getObject().asResource()));
        }
    }
}
