package org.keycloak.protocol.saml;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.net.URI;
import java.security.Key;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.UriInfo;
import org.keycloak.common.VerificationException;
import org.keycloak.common.util.PemUtils;
import org.keycloak.dom.saml.v2.SAML2Object;
import org.keycloak.dom.saml.v2.assertion.NameIDType;
import org.keycloak.dom.saml.v2.protocol.ArtifactResponseType;
import org.keycloak.dom.saml.v2.protocol.ExtensionsType;
import org.keycloak.dom.saml.v2.protocol.RequestAbstractType;
import org.keycloak.dom.saml.v2.protocol.StatusCodeType;
import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
import org.keycloak.dom.saml.v2.protocol.StatusType;
import org.keycloak.models.ClientModel;
import org.keycloak.rotation.HardcodedKeyLocator;
import org.keycloak.rotation.KeyLocator;
import org.keycloak.saml.SignatureAlgorithm;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.common.exceptions.ConfigurationException;
import org.keycloak.saml.common.exceptions.ParsingException;
import org.keycloak.saml.common.exceptions.ProcessingException;
import org.keycloak.saml.common.util.DocumentUtil;
import org.keycloak.saml.common.util.StaxUtil;
import org.keycloak.saml.processing.api.saml.v2.request.SAML2Request;
import org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature;
import org.keycloak.saml.processing.core.saml.v2.common.IDGenerator;
import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
import org.keycloak.saml.processing.core.saml.v2.writers.SAMLResponseWriter;
import org.keycloak.saml.processing.core.util.KeycloakKeySamlExtensionGenerator;
import org.keycloak.saml.processing.web.util.RedirectBindingUtil;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:org/keycloak/protocol/saml/SamlProtocolUtils.class */
public class SamlProtocolUtils {
    public static void verifyDocumentSignature(ClientModel clientModel, Document document) throws VerificationException {
        verifyDocumentSignature(document, (KeyLocator) new HardcodedKeyLocator(getSignatureValidationKey(clientModel)));
    }

    public static void verifyDocumentSignature(Document document, KeyLocator keyLocator) throws VerificationException {
        try {
            if (new SAML2Signature().validate(document, keyLocator)) {
            } else {
                throw new VerificationException("Invalid signature on document");
            }
        } catch (ProcessingException e) {
            throw new VerificationException("Error validating signature", e);
        }
    }

    public static PublicKey getSignatureValidationKey(ClientModel clientModel) throws VerificationException {
        return getPublicKey(new SamlClient(clientModel).getClientSigningCertificate());
    }

    public static PublicKey getEncryptionKey(ClientModel clientModel) throws VerificationException {
        return getPublicKey(clientModel, SamlConfigAttributes.SAML_ENCRYPTION_CERTIFICATE_ATTRIBUTE);
    }

    public static PublicKey getPublicKey(ClientModel clientModel, String str) throws VerificationException {
        return getPublicKey(clientModel.getAttribute(str));
    }

    private static PublicKey getPublicKey(String str) throws VerificationException {
        if (str == null) {
            throw new VerificationException("Client does not have a public key.");
        }
        try {
            X509Certificate decodeCertificate = PemUtils.decodeCertificate(str);
            decodeCertificate.checkValidity();
            return decodeCertificate.getPublicKey();
        } catch (CertificateException e) {
            throw new VerificationException("Certificate is not valid.");
        } catch (Exception e2) {
            throw new VerificationException("Could not decode cert", e2);
        }
    }

    public static void verifyRedirectSignature(SAMLDocumentHolder sAMLDocumentHolder, KeyLocator keyLocator, UriInfo uriInfo, String str) throws VerificationException {
        verifyRedirectSignature(sAMLDocumentHolder, keyLocator, (MultivaluedMap<String, String>) uriInfo.getQueryParameters(false), str);
    }

    public static void verifyRedirectSignature(SAMLDocumentHolder sAMLDocumentHolder, KeyLocator keyLocator, MultivaluedMap<String, String> multivaluedMap, String str) throws VerificationException {
        String str2 = (String) multivaluedMap.getFirst(str);
        String str3 = (String) multivaluedMap.getFirst("SigAlg");
        String str4 = (String) multivaluedMap.getFirst("Signature");
        String str5 = (String) multivaluedMap.getFirst("RelayState");
        if (str2 == null) {
            throw new VerificationException("SAM was null");
        }
        if (str3 == null) {
            throw new VerificationException("SigAlg was null");
        }
        if (str4 == null) {
            throw new VerificationException("Signature was null");
        }
        String messageSigningKeyId = getMessageSigningKeyId(sAMLDocumentHolder.getSamlObject());
        StringBuilder append = new StringBuilder().append(str).append("=").append(str2);
        if (multivaluedMap.containsKey("RelayState")) {
            append.append("&RelayState=").append(str5);
        }
        append.append("&SigAlg=").append(str3);
        String sb = append.toString();
        try {
            byte[] urlBase64Decode = RedirectBindingUtil.urlBase64Decode(str4);
            Signature createSignature = SignatureAlgorithm.getFromXmlMethod(RedirectBindingUtil.urlDecode((String) multivaluedMap.getFirst("SigAlg"))).createSignature();
            Key key = keyLocator.getKey(messageSigningKeyId);
            if (!(key instanceof PublicKey)) {
                throw new VerificationException("Invalid key locator for signature verification");
            }
            createSignature.initVerify((PublicKey) key);
            createSignature.update(sb.getBytes("UTF-8"));
            if (!createSignature.verify(urlBase64Decode)) {
                throw new VerificationException("Invalid query param signature");
            }
        } catch (Exception e) {
            throw new VerificationException(e);
        }
    }

    private static String getMessageSigningKeyId(SAML2Object sAML2Object) {
        ExtensionsType extensions;
        String messageSigningKeyIdFromElement;
        if (sAML2Object instanceof RequestAbstractType) {
            extensions = ((RequestAbstractType) sAML2Object).getExtensions();
        } else {
            if (!(sAML2Object instanceof StatusResponseType)) {
                return null;
            }
            extensions = ((StatusResponseType) sAML2Object).getExtensions();
        }
        if (extensions == null) {
            return null;
        }
        for (Object obj : extensions.getAny()) {
            if ((obj instanceof Element) && (messageSigningKeyIdFromElement = KeycloakKeySamlExtensionGenerator.getMessageSigningKeyIdFromElement((Element) obj)) != null) {
                return messageSigningKeyIdFromElement;
            }
        }
        return null;
    }

    public static ArtifactResponseType buildArtifactResponse(SAML2Object sAML2Object, NameIDType nameIDType, URI uri) throws ConfigurationException, ProcessingException {
        ArtifactResponseType artifactResponseType = new ArtifactResponseType(IDGenerator.create("ID_"), XMLTimeUtil.getIssueInstant());
        StatusType statusType = new StatusType();
        StatusCodeType statusCodeType = new StatusCodeType();
        statusCodeType.setValue(uri);
        statusType.setStatusCode(statusCodeType);
        artifactResponseType.setStatus(statusType);
        artifactResponseType.setIssuer(nameIDType);
        artifactResponseType.setAny(sAML2Object);
        return artifactResponseType;
    }

    public static ArtifactResponseType buildArtifactResponse(SAML2Object sAML2Object, NameIDType nameIDType) throws ConfigurationException, ProcessingException {
        return buildArtifactResponse(sAML2Object, nameIDType, JBossSAMLURIConstants.STATUS_SUCCESS.getUri());
    }

    public static ArtifactResponseType buildArtifactResponse(Document document) throws ParsingException, ProcessingException, ConfigurationException {
        StatusResponseType samlObject = SAML2Request.getSAML2ObjectFromDocument(document).getSamlObject();
        if (samlObject instanceof StatusResponseType) {
            return buildArtifactResponse(samlObject, samlObject.getIssuer());
        }
        if (samlObject instanceof RequestAbstractType) {
            return buildArtifactResponse(samlObject, ((RequestAbstractType) samlObject).getIssuer());
        }
        throw new ProcessingException("SAMLObject was not StatusResponseType or LogoutRequestType");
    }

    public static Document convert(ArtifactResponseType artifactResponseType) throws ProcessingException, ConfigurationException, ParsingException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        new SAMLResponseWriter(StaxUtil.getXMLStreamWriter(byteArrayOutputStream)).write(artifactResponseType);
        return DocumentUtil.getDocument(new ByteArrayInputStream(byteArrayOutputStream.toByteArray()));
    }
}
