package org.kuali.rice.ksb.security;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.Signature;
import java.security.cert.CertificateFactory;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;
import org.apache.xml.security.keys.content.x509.XMLX509Certificate;
import org.kuali.rice.ksb.service.KSBServiceLocator;
import org.kuali.rice.ksb.util.KSBConstants;

/* loaded from: input_file:WEB-INF/lib/rice-ksb-client-impl-2.1.10.jar:org/kuali/rice/ksb/security/SignatureVerifyingRequestWrapper.class */
public class SignatureVerifyingRequestWrapper extends HttpServletRequestWrapper {
    private byte[] digitalSignature;
    private Signature signature;

    public SignatureVerifyingRequestWrapper(HttpServletRequest httpServletRequest) {
        super(httpServletRequest);
        String header = httpServletRequest.getHeader("KEW_DIGITAL_SIGNATURE");
        if (StringUtils.isEmpty(header)) {
            throw new RuntimeException("A digital signature was required on the request but none was found.");
        }
        String header2 = httpServletRequest.getHeader("KEW_KEYSTORE_ALIAS");
        String header3 = httpServletRequest.getHeader(KSBConstants.KEYSTORE_CERTIFICATE_HEADER);
        if (StringUtils.isEmpty(header2) && StringUtils.isEmpty(header3)) {
            throw new RuntimeException("A verification alias or certificate was required on the request but neither was found.");
        }
        try {
            this.digitalSignature = Base64.decodeBase64(header.getBytes("UTF-8"));
            if (StringUtils.isNotBlank(header3)) {
                byte[] decodeBase64 = Base64.decodeBase64(header3.getBytes("UTF-8"));
                this.signature = KSBServiceLocator.getDigitalSignatureService().getSignatureForVerification(CertificateFactory.getInstance(XMLX509Certificate.JCA_CERT_ID).generateCertificate(new ByteArrayInputStream(decodeBase64)));
            } else if (StringUtils.isNotBlank(header2)) {
                this.signature = KSBServiceLocator.getDigitalSignatureService().getSignatureForVerification(header2);
            }
        } catch (Exception e) {
            throw new RuntimeException("Failed to initialize digital signature verification.", e);
        }
    }

    public ServletInputStream getInputStream() throws IOException {
        return new SignatureVerifyingInputStream(this.digitalSignature, this.signature, super.getInputStream());
    }
}
