package org.kuali.rice.ksb.messaging;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.GeneralSecurityException;
import java.security.Signature;
import java.security.cert.CertificateFactory;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;
import org.apache.http.Header;
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpPost;
import org.apache.xml.security.keys.content.x509.XMLX509Certificate;
import org.kuali.rice.core.api.resourceloader.GlobalResourceLoader;
import org.kuali.rice.ksb.security.HttpClientHeaderDigitalSigner;
import org.kuali.rice.ksb.security.SignatureVerifyingInputStream;
import org.kuali.rice.ksb.security.admin.service.JavaSecurityManagementService;
import org.kuali.rice.ksb.security.service.DigitalSignatureService;
import org.kuali.rice.ksb.util.KSBConstants;
import org.springframework.remoting.httpinvoker.HttpComponentsHttpInvokerRequestExecutor;
import org.springframework.remoting.httpinvoker.HttpInvokerClientConfiguration;

/* loaded from: input_file:WEB-INF/lib/rice-ksb-client-impl-2.5.14.jar:org/kuali/rice/ksb/messaging/KSBHttpInvokerRequestExecutor.class */
public class KSBHttpInvokerRequestExecutor extends HttpComponentsHttpInvokerRequestExecutor {
    private Boolean secure;

    public KSBHttpInvokerRequestExecutor() {
        this.secure = Boolean.TRUE;
    }

    public KSBHttpInvokerRequestExecutor(Boolean bool) {
        this.secure = Boolean.TRUE;
        this.secure = bool;
    }

    public KSBHttpInvokerRequestExecutor(HttpClient httpClient) {
        super(httpClient);
        this.secure = Boolean.TRUE;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.springframework.remoting.httpinvoker.HttpComponentsHttpInvokerRequestExecutor
    public void setRequestBody(HttpInvokerClientConfiguration httpInvokerClientConfiguration, HttpPost httpPost, ByteArrayOutputStream byteArrayOutputStream) throws IOException {
        if (isSecure()) {
            try {
                signRequest(httpPost, byteArrayOutputStream);
            } catch (Exception e) {
                throw new RuntimeException("Failed to sign the outgoing message.", e);
            }
        }
        super.setRequestBody(httpInvokerClientConfiguration, httpPost, byteArrayOutputStream);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.springframework.remoting.httpinvoker.HttpComponentsHttpInvokerRequestExecutor
    public InputStream getResponseBody(HttpInvokerClientConfiguration httpInvokerClientConfiguration, HttpResponse httpResponse) throws IOException {
        if (!isSecure()) {
            return super.getResponseBody(httpInvokerClientConfiguration, httpResponse);
        }
        Header firstHeader = httpResponse.getFirstHeader("KEW_DIGITAL_SIGNATURE");
        Header firstHeader2 = httpResponse.getFirstHeader("KEW_KEYSTORE_ALIAS");
        Header firstHeader3 = httpResponse.getFirstHeader(KSBConstants.KEYSTORE_CERTIFICATE_HEADER);
        if (firstHeader == null || StringUtils.isEmpty(firstHeader.getValue())) {
            throw new RuntimeException("A digital signature header was required on the response but none was found.");
        }
        boolean z = firstHeader2 != null && StringUtils.isNotBlank(firstHeader2.getValue());
        boolean z2 = firstHeader3 != null && StringUtils.isNotBlank(firstHeader3.getValue());
        if (!z2 && !z) {
            throw new RuntimeException("Either a key store alias header or a certificate header was required on the response but neither were found.");
        }
        byte[] decodeBase64 = Base64.decodeBase64(firstHeader.getValue().getBytes("UTF-8"));
        String str = "General Security Error";
        Signature signature = null;
        try {
            if (z2) {
                str = "Error with given certificate";
                signature = getDigitalSignatureService().getSignatureForVerification(CertificateFactory.getInstance(XMLX509Certificate.JCA_CERT_ID).generateCertificate(new ByteArrayInputStream(Base64.decodeBase64(firstHeader3.getValue().getBytes("UTF-8")))));
            } else if (z) {
                String value = firstHeader2.getValue();
                str = "Error with given alias " + value;
                signature = getDigitalSignatureService().getSignatureForVerification(value);
            }
            return new SignatureVerifyingInputStream(decodeBase64, signature, super.getResponseBody(httpInvokerClientConfiguration, httpResponse));
        } catch (GeneralSecurityException e) {
            throw new RuntimeException("Problem verifying signature: " + str, e);
        }
    }

    @Override // org.springframework.remoting.httpinvoker.HttpComponentsHttpInvokerRequestExecutor
    protected void validateResponse(HttpInvokerClientConfiguration httpInvokerClientConfiguration, HttpResponse httpResponse) throws HttpException {
        int statusCode = httpResponse.getStatusLine().getStatusCode();
        if (statusCode >= 300) {
            throw new HttpException(statusCode, "Did not receive successful HTTP response: status code = " + statusCode + ", status message = [" + httpResponse.getStatusLine().getReasonPhrase() + "]");
        }
    }

    protected void signRequest(HttpPost httpPost, ByteArrayOutputStream byteArrayOutputStream) throws Exception {
        HttpClientHeaderDigitalSigner httpClientHeaderDigitalSigner = new HttpClientHeaderDigitalSigner(getDigitalSignatureService().getSignatureForSigning(), httpPost, getJavaSecurityManagementService().getModuleKeyStoreAlias());
        httpClientHeaderDigitalSigner.getSignature().update(byteArrayOutputStream.toByteArray());
        httpClientHeaderDigitalSigner.sign();
    }

    protected boolean isSecure() {
        return getSecure().booleanValue();
    }

    public Boolean getSecure() {
        return this.secure;
    }

    public void setSecure(Boolean bool) {
        this.secure = bool;
    }

    protected DigitalSignatureService getDigitalSignatureService() {
        return (DigitalSignatureService) GlobalResourceLoader.getService(KSBConstants.ServiceNames.DIGITAL_SIGNATURE_SERVICE);
    }

    protected JavaSecurityManagementService getJavaSecurityManagementService() {
        return (JavaSecurityManagementService) GlobalResourceLoader.getService(KSBConstants.ServiceNames.JAVA_SECURITY_MANAGEMENT_SERVICE);
    }
}
