package org.apache.ws.security.saml.ext;

import java.io.IOException;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoType;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.saml.SAMLKeyInfo;
import org.apache.ws.security.saml.SAMLUtil;
import org.apache.ws.security.saml.ext.builder.SAML1ComponentBuilder;
import org.apache.ws.security.saml.ext.builder.SAML2ComponentBuilder;
import org.apache.ws.security.util.DOM2Writer;
import org.apache.ws.security.util.UUIDGenerator;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.signature.XMLSignatureException;
import org.opensaml.common.SAMLVersion;
import org.opensaml.common.SignableSAMLObject;
import org.opensaml.common.impl.SAMLObjectContentReference;
import org.opensaml.saml1.core.Assertion;
import org.opensaml.saml1.core.ConfirmationMethod;
import org.opensaml.saml1.core.Subject;
import org.opensaml.saml1.core.SubjectConfirmation;
import org.opensaml.saml1.core.SubjectStatement;
import org.opensaml.saml2.core.Issuer;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.x509.BasicX509Credential;
import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory;
import org.opensaml.xml.signature.KeyInfo;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.validation.ValidationException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:org/apache/ws/security/saml/ext/AssertionWrapper.class */
public class AssertionWrapper {
    private static final Log LOG = LogFactory.getLog(AssertionWrapper.class);
    private XMLObject xmlObject;
    private Assertion saml1;
    private org.opensaml.saml2.core.Assertion saml2;
    private SAMLVersion samlVersion;
    private CallbackHandler samlCallbackHandler;
    private Element assertionElement;
    private SAMLKeyInfo subjectKeyInfo;
    private SAMLKeyInfo signatureKeyInfo;
    private final String defaultCanonicalizationAlgorithm = "http://www.w3.org/2001/10/xml-exc-c14n#";
    private final String defaultRSASignatureAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
    private final String defaultDSASignatureAlgorithm = "http://www.w3.org/2000/09/xmldsig#dsa-sha1";
    private final String defaultSignatureDigestAlgorithm = "http://www.w3.org/2000/09/xmldsig#sha1";
    private final boolean fromDOM;

    public AssertionWrapper(Element element) throws WSSecurityException {
        this.xmlObject = null;
        this.saml1 = null;
        this.saml2 = null;
        this.samlCallbackHandler = null;
        this.defaultCanonicalizationAlgorithm = WSConstants.C14N_EXCL_OMIT_COMMENTS;
        this.defaultRSASignatureAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
        this.defaultDSASignatureAlgorithm = WSConstants.DSA;
        this.defaultSignatureDigestAlgorithm = WSConstants.SHA1;
        OpenSAMLUtil.initSamlEngine();
        parseElement(element);
        this.fromDOM = true;
    }

    public AssertionWrapper(org.opensaml.saml2.core.Assertion assertion) {
        this((XMLObject) assertion);
    }

    public AssertionWrapper(Assertion assertion) {
        this((XMLObject) assertion);
    }

    public AssertionWrapper(XMLObject xMLObject) {
        this.xmlObject = null;
        this.saml1 = null;
        this.saml2 = null;
        this.samlCallbackHandler = null;
        this.defaultCanonicalizationAlgorithm = WSConstants.C14N_EXCL_OMIT_COMMENTS;
        this.defaultRSASignatureAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
        this.defaultDSASignatureAlgorithm = WSConstants.DSA;
        this.defaultSignatureDigestAlgorithm = WSConstants.SHA1;
        OpenSAMLUtil.initSamlEngine();
        this.xmlObject = xMLObject;
        if (xMLObject instanceof Assertion) {
            this.saml1 = (Assertion) xMLObject;
            this.samlVersion = SAMLVersion.VERSION_11;
        } else if (xMLObject instanceof org.opensaml.saml2.core.Assertion) {
            this.saml2 = (org.opensaml.saml2.core.Assertion) xMLObject;
            this.samlVersion = SAMLVersion.VERSION_20;
        } else {
            LOG.error("AssertionWrapper: found unexpected type " + (xMLObject != null ? xMLObject.getClass().getName() : null));
        }
        this.fromDOM = false;
    }

    public AssertionWrapper(SAMLParms sAMLParms) throws WSSecurityException {
        this.xmlObject = null;
        this.saml1 = null;
        this.saml2 = null;
        this.samlCallbackHandler = null;
        this.defaultCanonicalizationAlgorithm = WSConstants.C14N_EXCL_OMIT_COMMENTS;
        this.defaultRSASignatureAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
        this.defaultDSASignatureAlgorithm = WSConstants.DSA;
        this.defaultSignatureDigestAlgorithm = WSConstants.SHA1;
        OpenSAMLUtil.initSamlEngine();
        SAMLCallback[] sAMLCallbackArr = {new SAMLCallback()};
        try {
            this.samlCallbackHandler = sAMLParms.getCallbackHandler();
            this.samlCallbackHandler.handle(sAMLCallbackArr);
            if (sAMLCallbackArr[0].getAssertionElement() != null) {
                parseElement(sAMLCallbackArr[0].getAssertionElement());
                this.fromDOM = true;
            } else {
                parseCallback(sAMLCallbackArr[0], sAMLParms);
                this.fromDOM = false;
            }
        } catch (IOException e) {
            throw new IllegalStateException("IOException while creating SAML assertion wrapper", e);
        } catch (UnsupportedCallbackException e2) {
            throw new IllegalStateException("UnsupportedCallbackException while creating SAML assertion wrapper", e2);
        }
    }

    public Assertion getSaml1() {
        return this.saml1;
    }

    public org.opensaml.saml2.core.Assertion getSaml2() {
        return this.saml2;
    }

    public XMLObject getXmlObject() {
        return this.xmlObject;
    }

    public boolean isCreated() {
        return (this.saml1 == null && this.saml2 == null) ? false : true;
    }

    public Element toDOM(Document document) throws WSSecurityException {
        if (!this.fromDOM || this.assertionElement == null) {
            this.assertionElement = OpenSAMLUtil.toDom(this.xmlObject, document);
            return this.assertionElement;
        }
        parseElement(this.assertionElement);
        return document != null ? (Element) document.importNode(this.assertionElement, true) : this.assertionElement;
    }

    public String assertionToString() throws WSSecurityException {
        return this.assertionElement == null ? DOM2Writer.nodeToString(toDOM(null)) : DOM2Writer.nodeToString(this.assertionElement);
    }

    public String getId() {
        String str = null;
        if (this.saml2 != null) {
            str = this.saml2.getID();
        } else if (this.saml1 != null) {
            str = this.saml1.getID();
        } else {
            LOG.error("AssertionWrapper: unable to return ID - no saml assertion object");
        }
        if (str == null || str.length() == 0) {
            LOG.error("AssertionWrapper: ID was null, seeting a new ID value");
            str = "_" + UUIDGenerator.getUUID();
            if (this.saml2 != null) {
                this.saml2.setID(str);
            } else if (this.saml1 != null) {
                this.saml1.setID(str);
            }
        }
        return str;
    }

    public String getIssuerString() {
        if (this.saml2 != null && this.saml2.getIssuer() != null) {
            return this.saml2.getIssuer().getValue();
        }
        if (this.saml1 != null) {
            return this.saml1.getIssuer();
        }
        LOG.error("AssertionWrapper: unable to return Issuer string - no saml assertion object or issuer is null");
        return null;
    }

    public List<String> getConfirmationMethods() {
        SubjectConfirmation subjectConfirmation;
        ArrayList arrayList = new ArrayList();
        if (this.saml2 != null) {
            Iterator it = this.saml2.getSubject().getSubjectConfirmations().iterator();
            while (it.hasNext()) {
                arrayList.add(((org.opensaml.saml2.core.SubjectConfirmation) it.next()).getMethod());
            }
        } else if (this.saml1 != null) {
            ArrayList arrayList2 = new ArrayList();
            arrayList2.addAll(this.saml1.getSubjectStatements());
            arrayList2.addAll(this.saml1.getAuthenticationStatements());
            arrayList2.addAll(this.saml1.getAttributeStatements());
            arrayList2.addAll(this.saml1.getAuthorizationDecisionStatements());
            Iterator it2 = arrayList2.iterator();
            while (it2.hasNext()) {
                Subject subject = ((SubjectStatement) it2.next()).getSubject();
                if (subject != null && (subjectConfirmation = subject.getSubjectConfirmation()) != null) {
                    ConfirmationMethod subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData();
                    if (subjectConfirmationData instanceof ConfirmationMethod) {
                        arrayList.add(subjectConfirmationData.getConfirmationMethod());
                    }
                    Iterator it3 = subjectConfirmation.getConfirmationMethods().iterator();
                    while (it3.hasNext()) {
                        arrayList.add(((ConfirmationMethod) it3.next()).getConfirmationMethod());
                    }
                }
            }
        }
        return arrayList;
    }

    public boolean isSigned() {
        if (this.saml2 != null) {
            return this.saml2.isSigned() || this.saml2.getSignature() != null;
        }
        if (this.saml1 != null) {
            return this.saml1.isSigned() || this.saml1.getSignature() != null;
        }
        return false;
    }

    public void setSignature(Signature signature) {
        setSignature(signature, WSConstants.SHA1);
    }

    public void setSignature(Signature signature, String str) {
        if (!(this.xmlObject instanceof SignableSAMLObject)) {
            LOG.error("Attempt to sign an unsignable object " + this.xmlObject.getClass().getName());
            return;
        }
        SignableSAMLObject signableSAMLObject = this.xmlObject;
        signableSAMLObject.setSignature(signature);
        String str2 = str;
        if (str2 == null) {
            str2 = WSConstants.SHA1;
        }
        ((SAMLObjectContentReference) signature.getContentReferences().get(0)).setDigestAlgorithm(str2);
        signableSAMLObject.releaseDOM();
        signableSAMLObject.releaseChildrenDOM(true);
    }

    public void signAssertion(String str, String str2, Crypto crypto, boolean z) throws WSSecurityException {
        signAssertion(str, str2, crypto, z, WSConstants.C14N_EXCL_OMIT_COMMENTS, "http://www.w3.org/2000/09/xmldsig#rsa-sha1", WSConstants.SHA1);
    }

    public void signAssertion(String str, String str2, Crypto crypto, boolean z, String str3, String str4) throws WSSecurityException {
        signAssertion(str, str2, crypto, z, str3, str4, WSConstants.SHA1);
    }

    public void signAssertion(String str, String str2, Crypto crypto, boolean z, String str3, String str4, String str5) throws WSSecurityException {
        Signature buildSignature = OpenSAMLUtil.buildSignature();
        buildSignature.setCanonicalizationAlgorithm(str3);
        LOG.debug("Using Canonicalization algorithm " + str3);
        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
        cryptoType.setAlias(str);
        X509Certificate[] x509Certificates = crypto.getX509Certificates(cryptoType);
        if (x509Certificates == null) {
            throw new WSSecurityException("No issuer certs were found to sign the SAML Assertion using issuer name: " + str);
        }
        String str6 = str4;
        String algorithm = x509Certificates[0].getPublicKey().getAlgorithm();
        if (LOG.isDebugEnabled()) {
            LOG.debug("automatic sig algo detection: " + algorithm);
        }
        if (algorithm.equalsIgnoreCase("DSA")) {
            str6 = WSConstants.DSA;
        }
        LOG.debug("Using Signature algorithm " + str6);
        try {
            PrivateKey privateKey = crypto.getPrivateKey(str, str2);
            buildSignature.setSignatureAlgorithm(str6);
            BasicX509Credential basicX509Credential = new BasicX509Credential();
            basicX509Credential.setEntityCertificate(x509Certificates[0]);
            basicX509Credential.setPrivateKey(privateKey);
            buildSignature.setSigningCredential(basicX509Credential);
            X509KeyInfoGeneratorFactory x509KeyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
            if (z) {
                x509KeyInfoGeneratorFactory.setEmitPublicKeyValue(true);
            } else {
                x509KeyInfoGeneratorFactory.setEmitEntityCertificate(true);
            }
            try {
                buildSignature.setKeyInfo(x509KeyInfoGeneratorFactory.newInstance().generate(basicX509Credential));
                setSignature(buildSignature, str5);
            } catch (SecurityException e) {
                throw new WSSecurityException("Error generating KeyInfo from signing credential", (Throwable) e);
            }
        } catch (Exception e2) {
            throw new WSSecurityException(e2.getMessage(), e2);
        }
    }

    public void verifySignature(RequestData requestData, WSDocInfo wSDocInfo) throws WSSecurityException {
        Signature signature = getSignature();
        if (signature == null) {
            LOG.debug("AssertionWrapper: no signature to validate");
            return;
        }
        KeyInfo keyInfo = signature.getKeyInfo();
        if (keyInfo == null) {
            throw new WSSecurityException(0, "invalidSAMLsecurity", new Object[]{"cannot get certificate or key"});
        }
        verifySignature(SAMLUtil.getCredentialFromKeyInfo(keyInfo.getDOM(), requestData, wSDocInfo, requestData.getWssConfig().isWsiBSPCompliant()));
    }

    public void verifySignature(SAMLKeyInfo sAMLKeyInfo) throws WSSecurityException {
        Signature signature = getSignature();
        if (signature == null) {
            LOG.debug("AssertionWrapper: no signature to validate");
            return;
        }
        if (sAMLKeyInfo == null) {
            throw new WSSecurityException(0, "invalidSAMLsecurity", new Object[]{"cannot get certificate or key"});
        }
        BasicX509Credential basicX509Credential = new BasicX509Credential();
        if (sAMLKeyInfo.getCerts() != null) {
            basicX509Credential.setEntityCertificate(sAMLKeyInfo.getCerts()[0]);
        } else {
            if (sAMLKeyInfo.getPublicKey() == null) {
                throw new WSSecurityException(0, "invalidSAMLsecurity", new Object[]{"cannot get certificate or key"});
            }
            basicX509Credential.setPublicKey(sAMLKeyInfo.getPublicKey());
        }
        try {
            new SignatureValidator(basicX509Credential).validate(signature);
            this.signatureKeyInfo = sAMLKeyInfo;
        } catch (ValidationException e) {
            throw new WSSecurityException("SAML signature validation failed", (Throwable) e);
        }
    }

    public void validateSignatureAgainstProfile() throws WSSecurityException {
        Signature signature = getSignature();
        if (signature != null) {
            try {
                new SAMLSignatureProfileValidator().validate(signature);
            } catch (ValidationException e) {
                throw new WSSecurityException("SAML signature validation failed", (Throwable) e);
            }
        }
    }

    public Signature getSignature() {
        Signature signature = null;
        if (this.saml2 != null && this.saml2.getSignature() != null) {
            signature = this.saml2.getSignature();
        } else if (this.saml1 != null && this.saml1.getSignature() != null) {
            signature = this.saml1.getSignature();
        }
        return signature;
    }

    public void parseHOKSubject(RequestData requestData, WSDocInfo wSDocInfo) throws WSSecurityException {
        String str = null;
        List<String> confirmationMethods = getConfirmationMethods();
        if (confirmationMethods != null && confirmationMethods.size() > 0) {
            str = confirmationMethods.get(0);
        }
        if (OpenSAMLUtil.isMethodHolderOfKey(str)) {
            if (this.saml1 != null) {
                this.subjectKeyInfo = SAMLUtil.getCredentialFromSubject(this.saml1, requestData, wSDocInfo, requestData.getWssConfig().isWsiBSPCompliant());
            } else if (this.saml2 != null) {
                this.subjectKeyInfo = SAMLUtil.getCredentialFromSubject(this.saml2, requestData, wSDocInfo, requestData.getWssConfig().isWsiBSPCompliant());
            }
        }
    }

    public SAMLVersion getSamlVersion() {
        if (this.samlVersion == null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("The SAML version was null in getSamlVersion(). Recomputing SAML version...");
            }
            if (this.saml1 != null && this.saml2 == null) {
                this.samlVersion = SAMLVersion.VERSION_11;
            } else {
                if (this.saml1 != null || this.saml2 == null) {
                    throw new IllegalStateException("Could not determine the SAML version number. Check your configuration and try again.");
                }
                this.samlVersion = SAMLVersion.VERSION_20;
            }
        }
        return this.samlVersion;
    }

    public Element getElement() {
        return this.assertionElement;
    }

    public SAMLKeyInfo getSignatureKeyInfo() {
        return this.signatureKeyInfo;
    }

    public SAMLKeyInfo getSubjectKeyInfo() {
        return this.subjectKeyInfo;
    }

    public byte[] getSignatureValue() throws WSSecurityException {
        Signature signature = null;
        if (this.saml2 != null && this.saml2.getSignature() != null) {
            signature = this.saml2.getSignature();
        } else if (this.saml1 != null && this.saml1.getSignature() != null) {
            signature = this.saml1.getSignature();
        }
        if (signature == null) {
            return null;
        }
        try {
            return new XMLSignature(signature.getDOM(), "").getSignatureValue();
        } catch (XMLSignatureException e) {
            throw new WSSecurityException(0, "invalidSAMLsecurity", null, e);
        } catch (XMLSecurityException e2) {
            throw new WSSecurityException(0, "invalidSAMLsecurity", null, e2);
        }
    }

    private void parseElement(Element element) throws WSSecurityException {
        this.xmlObject = OpenSAMLUtil.fromDom(element);
        if (this.xmlObject instanceof Assertion) {
            this.saml1 = this.xmlObject;
            this.samlVersion = SAMLVersion.VERSION_11;
        } else if (this.xmlObject instanceof org.opensaml.saml2.core.Assertion) {
            this.saml2 = this.xmlObject;
            this.samlVersion = SAMLVersion.VERSION_20;
        } else {
            LOG.error("AssertionWrapper: found unexpected type " + ((Object) (this.xmlObject != null ? this.xmlObject.getClass().getName() : this.xmlObject)));
        }
        this.assertionElement = element;
    }

    private void parseCallback(SAMLCallback sAMLCallback, SAMLParms sAMLParms) throws WSSecurityException {
        this.samlVersion = sAMLCallback.getSamlVersion();
        if (this.samlVersion == null) {
            this.samlVersion = sAMLParms.getSAMLVersion();
        }
        String issuer = sAMLCallback.getIssuer();
        if (issuer == null && sAMLParms.getIssuer() != null) {
            issuer = sAMLParms.getIssuer();
        }
        if (this.samlVersion.equals(SAMLVersion.VERSION_11)) {
            this.saml1 = SAML1ComponentBuilder.createSamlv1Assertion(issuer);
            try {
                this.saml1.getAuthenticationStatements().addAll(SAML1ComponentBuilder.createSamlv1AuthenticationStatement(sAMLCallback.getAuthenticationStatementData()));
                this.saml1.getAttributeStatements().addAll(SAML1ComponentBuilder.createSamlv1AttributeStatement(sAMLCallback.getAttributeStatementData()));
                this.saml1.getAuthorizationDecisionStatements().addAll(SAML1ComponentBuilder.createSamlv1AuthorizationDecisionStatement(sAMLCallback.getAuthDecisionStatementData()));
                this.saml1.setConditions(SAML1ComponentBuilder.createSamlv1Conditions(sAMLCallback.getConditions()));
                this.xmlObject = this.saml1;
                return;
            } catch (SecurityException e) {
                throw new WSSecurityException("Error generating KeyInfo from signing credential", (Throwable) e);
            }
        }
        if (this.samlVersion.equals(SAMLVersion.VERSION_20)) {
            this.saml2 = SAML2ComponentBuilder.createAssertion();
            Issuer createIssuer = SAML2ComponentBuilder.createIssuer(issuer);
            this.saml2.getAuthnStatements().addAll(SAML2ComponentBuilder.createAuthnStatement(sAMLCallback.getAuthenticationStatementData()));
            this.saml2.getAttributeStatements().addAll(SAML2ComponentBuilder.createAttributeStatement(sAMLCallback.getAttributeStatementData()));
            this.saml2.getAuthzDecisionStatements().addAll(SAML2ComponentBuilder.createAuthorizationDecisionStatement(sAMLCallback.getAuthDecisionStatementData()));
            this.saml2.setIssuer(createIssuer);
            try {
                this.saml2.setSubject(SAML2ComponentBuilder.createSaml2Subject(sAMLCallback.getSubject()));
                this.saml2.setConditions(SAML2ComponentBuilder.createConditions(sAMLCallback.getConditions()));
                this.xmlObject = this.saml2;
            } catch (SecurityException e2) {
                throw new WSSecurityException("Error generating KeyInfo from signing credential", (Throwable) e2);
            }
        }
    }
}
